b'                                  SENSITIVE BUT UNCLASSIFIED\n\n\n\n\n                    UNITED STATES DEPARTMENT OF STATE\n                AND THE BROADCASTING BOARD OF GOVERNORS\n                               OFFICE OF INSPECTOR GENERAL\n\n\nAUD-IT-13-39                                    Office of Audits                                   September 2013\n\n\n\n\n                      Audit of\n  International Boundary and Water Commission,\n       United States and Mexico, U.S. Section,\n           Information Security Program\n\n\n\n\nIMPORTANT NOTICE: This report is intended solely for the official use of the Department of State or the\nBroadcasting Board of Governors, or any agency or organization receiving a copy directly from the Office of\nInspector General. No secondary distribution may be made, in whole or in part, outside the Department of State or\nthe Broadcasting Board of Governors, by them or by other agencies of organizations, without prior authorization by\nthe Inspector General. Public availability of the document will be determined by the Inspector General under the\nU.S. Code, 5 U.S.C. 552. Improper disclosure of this report may result in criminal, civil, or administrative penalties.\n\n\n\n                                  SENSITIVE BUT UNCLASSIFIED\n\x0c                              SENSITIVE BUT UNCLASS~IED\n                                                   1\n                                                                 mte<1 States Department of State\n                                                               and the Broadcasting Board of Governors\n\n                                                               Office of Inspector General\n\n\n\n\n                                          (U) PREFACE\n        (U) This report is being transmitted pursuant to the Inspector General Act of 1978, as\namended, and Section 209 of the Foreign Service Act of 1980, as amended. It is one of a series\nof audit, inspection, investigative, and special reports prepared as part of the Office of Inspector\nGeneral \' s (OIG) responsibility to promote effective management, accountability, and positive\nchange in the Department of State and the Broadcasting Board of Governors.\n\n        (U) In accordance with the Federal Information Security Management Act of2002\n(FISMA), OIG performed a review of the United States Section, International Boundary and\nWater Commission Information Security Program for FY 2013. The report is based on\ninterviews with employees and officials of the United States Section, International Boundary and\nWater Commission headquarters and field offices, direct observation, and a review of applicable\ndocuments.\n\n        (U) OIG identified areas in which improvements could be made, including the system\ninventory, risk management program, configuration management, security awareness and role-\nbased training, plans of actions and milestones, remote access, continuous monitoring,\ncontingency planning, oversight of contractor systems, personnel security, and physical and\nenvironmental protection.\n\n        (U) The recommendations contained in the report were developed on the basis of the best\nknowledge available and were discussed in draft form with those individuals responsible for\nimplementation. OIG \' s analysis of management\'s response to the recommendations has been\nincorporated into the report. OIG trusts that this report will result in more effective, efficient,\nand/or economical operations.\n\n         (U) I express my appreciation to all of the individuals who contributed to the preparation\nof this report.\n\n\n\n\n                                       Harold W. Geisel\n                                       Acting Inspector General\n\n\n\n\n                              SENSITIVE BUT UNCLASSIFIED\n\x0c                          SENSITIVE BUT UNCLASSIFIED\n\n\n______________________________________________________________\n(U) Acronyms\n(U) BCP      Business Continuity Plan\n(U) BIA      Business Impact Analysis\n(U) COOP     Continuity of Operations Plan\n(U) COR      contracting officer\xe2\x80\x99s representative\n(U) DRP      Disaster Recovery Plan\n(U) FISMA    Federal Information Security Management Act\n(U) GIS      Geographic Information System\n(U) GSS      General Support System\n(U) IBWC     International Boundary and Water Commission\n(U) ICS      Industrial Control System\n(U) IMD      Information Management Division\n(U) IT       information technology\n(U) ISSM     Information System Security Manager\n(U) NIST     National Institute of Standards and Technology\n(U) OIG      Office of Inspector General\n(U) OMB      Office of Management and Budget\n(U) PIN      Personal Identification Number\n(U) PIV      Personal Identity Verification\n(U) POA&M    Plan of Action and Milestones\n(U) SBIWTP   South Bay International Wastewater Treatment Plant\n(U) SCADA    Supervisory Control and Data Acquisition\n(U) SP       Special Publication\n(U) VPN      Virtual Private Network\n\n\n\n\n                          SENSITIVE BUT UNCLASSIFIED\n\x0c                                            SENSITIVE BUT UNCLASSIFIED\n\n\n                                                     (U) Table of Contents\n\n(U) Section                                                                                                                        (U) Page\n\n(U) Executive Summary ................................................................................................................. 1\n\n(U) Background .............................................................................................................................. 2\n\n(U) Objective .................................................................................................................................. 4\n\n(U) Audit Results ............................................................................................................................ 4\n    (U) Finding A. Risk Management ............................................................................................. 4\n    (U) Finding B. Continuous Monitoring ..................................................................................... 6\n    (U) Finding C. Physical and Environmental Protection ............................................................ 8\n    (U) Finding D. Plan of Action and Milestones ........................................................................ 11\n    (U) Finding E. Security Capital Planning ................................................................................ 12\n    (U) Finding F. Contingency Planning ...................................................................................... 14\n    (U) Finding G. Incident Response and Reporting ................................................................... 15\n    (U) Finding H. Configuration Management ............................................................................ 16\n    (U) Finding I. Security Training .............................................................................................. 17\n    (U) Finding J. Remote Access Management ........................................................................... 18\n    (U) Finding K. Identity and Access Management ................................................................... 20\n    (U) Finding L. Contractor Systems .......................................................................................... 21\n    (U) Finding M. Personnel Security .......................................................................................... 24\n    (U) Finding N. System Inventory ............................................................................................ 27\n\n(U) List of Recommendations....................................................................................................... 29\n(U) Appendices\n    (U) A. Scope and Methodology ............................................................................................... 33\n     (U) B. Office of Inspector General FY 2012 Federal Information Security\n            Management Act Report Statuses of Recommendations ............................................ 35\n    (U) C. International Boundary and Water Commission Management Responses\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa642\n\n(U) Major Contributors to This Report ......................................................................................... 49\n\n\n\n                                            SENSITIVE BUT UNCLASSIFIED\n\x0c                                     SENSITIVE BUT UNCLASSIFIED\n\n\n\n                                          (U) Executive Summary\n        (U) In accordance with the Federal Information Security Management Act of 2002 1\n(FISMA), the Department of State (Department), Office of Inspector General (OIG), conducted\nan audit of the U.S. Section, International Boundary and Water Commission (IBWC),\ninformation security program and practices. The purpose of the audit was to determine\ncompliance with Federal laws, regulations, and standards established by FISMA, the Office of\nManagement and Budget (OMB), and the National Institute of Standards and Technology\n(NIST). In addition, OIG reviewed IBWC\xe2\x80\x99s corrective actions to address weaknesses identified\nin OIG\xe2\x80\x99s FY 2012 report Audit of International Boundary and Water Commission, United States\nand Mexico, U.S. Section, Information Security Program (AUD/IT-13-15, November 2012).\nOIG closed four of 31 recommendations in the FY 2012 report, and IBWC had taken some\naction on the remaining 27 recommendations. The status of each recommendation from OIG\xe2\x80\x99s\nFY 2012 report is presented in Appendix B.\n\n        (SBU) During FY 2013, OIG conducted fieldwork at IBWC\xe2\x80\x99s U.S. Section headquarters\nin El Paso, TX; South Bay International Wastewater Treatment Plant (SBIWTP) and field office\nin San Diego, CA, and Nogales, AZ; and the continuity of operations site in Las Cruces, NM.\nOverall, OIG found that IBWC had implemented an information security program and had made\nsome progress on previously identified weaknesses. However, OIG identified security control\nweaknesses that, if exploited, could expose IBWC to security breaches. Specifically, the\nweakened security controls could adversely affect the confidentiality, integrity, and availability\nof IBWC information and information systems. OIG provided IBWC with 27 recommendations\nrelated to 14 security control weaknesses and identified the following six significant security\ndeficiencies requiring immediate attention:\n\n           \xe2\x80\xa2   (SBU) IBWC had not developed and implemented a risk management framework for\n               its information systems. (Finding A)\n           \xe2\x80\xa2   (SBU) IBWC had not implemented a continuous monitoring program for its\n               information systems. (Finding B)\n           \xe2\x80\xa2   (SBU) IBWC had not developed a comprehensive policy and procedure for\n               implementing physical and environmental protection controls for IBWC assets.\n               (Finding C)\n           \xe2\x80\xa2   (SBU) IBWC had not implemented an effective Plan of Action and Milestones\n               (POA&M) process. (Finding D)\n           \xe2\x80\xa2   (SBU) IBWC did not have an effective capital planning process for its information\n               systems. (Finding E)\n           \xe2\x80\xa2   (SBU) IBWC had not addressed many of the critical information system components\n               for contingency planning. (Finding F)\n\n\n\n1\n    (U) E-Government Act of 2002, Pub. L. No. 107-347, tit. III, 116 Stat. 2946 (2002).\n\n                                                  1\n                                     SENSITIVE BUT UNCLASSIFIED\n\x0c                                     SENSITIVE BUT UNCLASSIFIED\n\n       (U) In its September 16, 2013, response (see Appendix C) to the draft report, IBWC\nagreed to 27 recommendations. Based on the response, OIG considers Recommendation 9\nclosed and the remaining 26 recommendations resolved, pending further action. IBWC\xe2\x80\x99s\nresponses and OIG\xe2\x80\x99s replies to those responses are included after each recommendation.\n\n                                                (U) Background\n       (U) IBWC is an international organization established in 1889 by the U.S. and Mexican\nGovernments to apply boundary and water treaties and agreements between the United States\nand Mexico. IBWC consists of a U.S. Section and a Mexican Section. Each section is\nindependent and headed by an Engineer Commissioner. The U.S. and Mexican Sections\nmaintain their respective headquarters in the adjoining cities of El Paso and Ciudad Ju\xc3\xa1rez,\nChihuahua. Although IBWC is an independent international entity, the U.S. Section takes direction\nfrom the Department on matters related to foreign policy. The joint mission of the U.S. Section\nand the Mexican Section is as follows:\n\n           \xe2\x80\xa2   (U) Distribute the waters of the boundary-rivers between the two countries.\n           \xe2\x80\xa2   (U) Operate international flood control along the boundary-rivers.\n           \xe2\x80\xa2   (U) Operate the international reservoirs for conservation and regulation of Rio\n               Grande waters for the two countries.\n           \xe2\x80\xa2   (U) Improve the quality of water of international rivers.\n           \xe2\x80\xa2   (U) Resolve border sanitation issues.\n           \xe2\x80\xa2   (U) Develop hydroelectric power.\n           \xe2\x80\xa2   (U) Establish the boundary in the area bordering the Rio Grande.\n           \xe2\x80\xa2   (U) Demarcate the land boundary.\n\n        (U) IBWC\xe2\x80\x99s strategic objective is to improve and sustain the quality of effluent in\naccordance with applicable laws and international agreements. The U.S. Section owns the\ncontractor-operated SBIWTP, which is responsible for meeting the Clean Water Act\nrequirements mandated by the State of California. The SBIWTP discharges the clean water into\nthe Pacific Ocean. The U.S. Section also maintains and operates the Nogales International\nWastewater Treatment Plant in accordance with the Clean Water Act discharge standards\nmandated by Arizona. Each wastewater treatment plant has a Supervisory Control and Data\nAcquisition (SCADA) 2 system. A SCADA control center performs centralized monitoring and\ncontrol for field sites over long-distance communications networks, including monitoring alarms\nand processing status data. Based on information received from remote stations, automated or\noperator-driven supervisory commands are controlled by remote station control devices, which\nare often referred to as field devices. Field devices control local operations such as opening and\nclosing valves and breakers, collecting data from sensor systems, and monitoring the local\nenvironment for alarm conditions. A sample SCADA screen is shown in Figure 1.\n\n\n\n\n2\n    (U) A SCADA is also referred to as an Industrial Control System (ICS).\n                                                  2\n                                     SENSITIVE BUT UNCLASSIFIED\n\x0c                                 SENSITIVE BUT UNCLASSIFIED\n\n\n\n\n    (U) Figure 1. A SCADA display at the SBIWTP. (OIG photograph)\n\n       (U) The U.S. Section is in the process of developing and implementing the necessary\ninformation technology (IT) measures to meet requirements mandated by FISMA and NIST.\nThe agency is also in the process of acquiring and installing required software and hardware,\nmodifying IT system configurations, and implementing policies to achieve system certification\nand accreditation with FISMA requirements.\n\n       (U) FISMA was enacted into law as Title III, Public Law Number 107-347, on December\n17, 2002. Key requirements of FISMA are as follows:\n\n        \xe2\x80\xa2   (U) The establishment of an agency-wide information security program to provide\n            information security for the information and information systems that support the\n            operations and assets of the agency, including those provided or managed by another\n            agency, contractor, or other source.\n        \xe2\x80\xa2   (U) An annual independent evaluation of the agency\xe2\x80\x99s information security programs\n            and practices.\n        \xe2\x80\xa2   (U) An assessment of compliance with FISMA requirements.\n\n        (U) FISMA assigns specific responsibilities to Federal agencies, NIST, OMB, and the\nDepartment of Homeland Security 3 to strengthen information system security. In particular,\nFISMA requires the head of each agency to implement policies and procedures to cost\neffectively reduce IT security risks to an acceptable level. To ensure the adequacy and\neffectiveness of information system controls, FISMA requires agency program officials, chief\ninformation officers, chief information security officers, senior agency officials for privacy, and\n\n\n3\n (U) OMB Memorandum M-10-28, Clarifying Cybersecurity Responsibilities and Activities of the Executive Office\nof the President and the Department of Homeland Security (DHS), July 6, 2010.\n                                              3\n                                 SENSITIVE BUT UNCLASSIFIED\n\x0c                                  SENSITIVE BUT UNCLASSIFIED\n\ninspectors general to conduct annual reviews of the agency\xe2\x80\x99s information security program and\nreport the results to the Department of Homeland Security.\n\n                                              (U) Objective\n        (U) The objective of the audit was to assess the effectiveness of IBWC\xe2\x80\x99s information\nsecurity program in FY 2013.\n\n                                           (U) Audit Results\n        (U) OIG observed that IBWC had made improvements to its security program. However,\nOIG identified the following control weaknesses that, if not addressed, could be detrimental to\nIBWC\xe2\x80\x99s information systems and organization. To improve the information security program\nand to bring the program into compliance with FISMA, OMB, and NIST requirements, OIG\ndetermined that IBWC should address the 14 control weaknesses described herein.\n\n(U) Finding A. Risk Management\n        (SBU) In FY 2011 4 and FY 2012, OIG reported that IBWC had not developed an\neffective risk management program. Information Management Division\xe2\x80\x99s (IMD) Inventory\nGuide listed four information systems and one major application: two SCADA systems; 5\nGeneral Support System (GSS) and its major application, Geographic Information System\n(GIS); 6 and its SBIWTP Admin Network, which required identification and management of\nrisks. NIST Special Publication (SP) 800-37, Revision 1, 7 states the following:\n\n        (U) Managing information system-related security risks is a complex,\n        multifaceted undertaking that requires the involvement of the entire organization\n        from senior leaders providing the strategic vision and top-level goals and\n        objectives for the organization, to mid-level leaders planning and managing\n        projects, to individuals on the front lines developing, implementing, and operating\n        the systems supporting the organization\xe2\x80\x99s core missions and business processes.\n\n        (SBU) IBWC had not developed a comprehensive governance structure and\norganization-wide risk management framework to include an information system perspective.\nNIST SP 800-37, Revision 1, 8 describes a \xe2\x80\x9cthree-tiered risk management framework\xe2\x80\x9d in which\ntier one addresses risk from an organization perspective, tier two addresses risk from a mission\nand business process perspective, and tier three addresses risk from an information system\n\n\n4\n  (U) Evaluation of the United States Section, International Boundary and Water Commission, Information Security\nProgram (AUD/IT-12-16, Nov. 2011).\n5\n  (U) The two SCADA systems are located in Nogales and San Diego.\n6\n  (U) GSS and GIS are located in El Paso.\n7\n  (U) NIST SP 800-37, rev.1, Guide for Applying the Risk Management Framework to Federal Information Systems,\n\xe2\x80\x9cIntegrated Organization-Wide Risk Management,\xe2\x80\x9d Feb. 2010.\n8\n  (U) Ibid.\n                                               4\n                                  SENSITIVE BUT UNCLASSIFIED\n\x0c                                 SENSITIVE BUT UNCLASSIFIED\n\nperspective. NIST SP 800-39 9 lists \xe2\x80\x9crisk framing, risk assessment, risk response, and risk\nmonitoring\xe2\x80\x9d as the four steps for assessing risk of information systems. A comprehensive\ngovernance structure and organization-wide risk management framework to include an\ninformation system perspective did not exist because IBWC could not identify risk management\nguidance to complete its draft risk management framework.\n\n        (SBU) IBWC did not have Security Authorization Packages to include risk assessments,\nsecurity plans, privacy impact assessments, and management authorizations to operate for GSS,\ntwo SCADA systems, and the SBIWTP Admin Network. In addition, IBWC\xe2\x80\x99s GIS did not have\nan application security plan. NIST SP 800-53, Revision 3, 10 requires that an organization\ndevelop, distribute, and update formal security assessments and authorization policies. Security\nAuthorization Packages had not been completed because IBWC did not have sufficient resources\nto complete the necessary security documents for all IBWC information systems.\n\n        (SBU) IBWC\xe2\x80\x99s GIS had an improper application classification and impact level. IBWC\'s\nIMD Inventory Guide quotes Federal Information Processing Standards 199 and states that \xe2\x80\x9ca\nmajor application is expected to have an impact level of moderate or high.\xe2\x80\x9d IBWC\xe2\x80\x99s IMD\nInventory Guide listed its GIS with a low confidentiality, integrity, and availability impact level\nresulting in a low impact system. GIS received a low impact level and the classification of a\nmajor application because IMD planned to include GIS in the same accreditation boundary as\nGSS and assumed GIS had to be classified as a major application.\n\n        (SBU) IBWC had identified the SBIWTP Admin Network as its own information system\nwithout performing ongoing security control assessments to ensure information security\nrequirements were in place. NIST SP 800-53, Revision 3, 11 states that organizations should\n\xe2\x80\x9cestablish a continuous monitoring strategy and implement a continuous monitoring program\nthat includes ongoing security control assessments.\xe2\x80\x9d IBWC had not performed ongoing security\ncontrols assessments of the SBIWTP because it did not have access to the system and relied on\nthe contractor to perform them. Without a risk management program, IBWC cannot prioritize,\nassess, respond to, and monitor information security risk, leaving IBWC vulnerable to outside\nattacks and insider threats.\n\n        (SBU) Recommendation 1. OIG recommends that the International Boundary and\n        Water Commission update and finalize its risk management framework to include all\n        three tiers of managing risk, as required by National Institute of Standards and\n        Technology (NIST) Special Publications (SP) 800-37, Revision 1, and the four risk\n        management steps, as required by NIST SP 800-39.\n\n        (SBU) Management Response: IBWC agreed with the recommendation, stating that it\n        was in the process of finalizing a risk management framework.\n\n\n9\n  (U) NIST SP 800-39, Managing Information System Risk, app. E, Mar. 2011.\n10\n   (U) NIST SP 800-53, rev. 3, Recommended Security Controls for Federal Information Systems, \xe2\x80\x9cCA-1 Security\nAssessment and Authorization Policies and Procedures,\xe2\x80\x9d Aug. 2009 (last updated May 2010).\n11\n   (U) NIST SP 800-53, rev. 3, \xe2\x80\x9cCA-7 Continuous Monitoring.\xe2\x80\x9d\n                                              5\n                                 SENSITIVE BUT UNCLASSIFIED\n\x0c                                SENSITIVE BUT UNCLASSIFIED\n\n        (U) OIG Analysis: OIG considers the recommendation resolved. This recommendation\n        can be closed when OIG reviews and accepts documentation or evidence showing that\n        IBWC has finalized its risk management framework to include all three tiers of managing\n        risk.\n\n        (SBU) Recommendation 2. OIG recommends that the International Boundary and\n        Water Commission (IBWC) determine the ownership and classification of the South Bay\n        International Wastewater Treatment Plant Admin Network and the Geographic\n        Information System in accordance with Federal Information Processing Standards 199\n        and update the IBWC Inventory Guide.\n\n        (SBU) Management Response: IBWC agreed with the recommendation, stating that it\n        is discussing ownership of the system with Veolia. IBWC further stated that it will\n        reclassify the SBIWTP Veolia and the GIS in accordance with FIP 199 by the end of\n        2013.\n\n        (U) OIG Analysis: OIG considers the recommendation resolved. This recommendation\n        can be closed when OIG reviews and accepts documentation or evidence showing that\n        the ownership and classification of the SBIWTP Admin Network and the GIS have been\n        determined.\n\n        (SBU) Recommendation 3. OIG recommends that the International Boundary and\n        Water Commission (IBWC) develop security authorization packages for all IBWC\n        information systems based on the determination of ownership and classification, as\n        required by National Institute of Standards and Technology Special Publication 800-53,\n        Revision 3.\n\n        (SBU) Management Response: IBWC agreed with the recommendation, stating that the\n        results and reclassification of the systems will be used to develop the authorization\n        packages for all IBWC systems once the risk assessment for the GIS has been completed.\n\n        (U) OIG Analysis: OIG considers the recommendation resolved. This recommendation\n        can be closed when OIG reviews and accepts documentation or evidence showing that\n        authorization packages were developed for all IBWC information systems based on\n        determined ownership and classification.\n\n(U) Finding B. Continuous Monitoring\n        (SBU) In FY 2011 and FY 2012, OIG reported that the IBWC did not have effective\ncontinuous monitoring management of its information systems. In FY 2013, OIG found that\nIBWC had not established a continuous monitoring program to include information system\nactivity log reviews and ongoing assessments of its SCADA systems. NIST SP 800-137 12 states,\n\n12\n (U) NIST SP 800-137, Information Security Continuous Monitoring for Federal Information Systems and\nOrganizations, \xe2\x80\x9cExecutive Summary,\xe2\x80\x9d Sept. 2011.\n                                             6\n                                SENSITIVE BUT UNCLASSIFIED\n\x0c                                 SENSITIVE BUT UNCLASSIFIED\n\n\xe2\x80\x9cInformation security continuous monitoring is maintaining ongoing awareness of information\nsecurity, vulnerabilities, and threats to support organizational risk management decisions.\xe2\x80\x9d\n\n       (SBU) Although IBWC had procured and utilized some automated tools to perform\nsystem scans of its GSS, IBWC had not established a continuous monitoring program for all four\ninformation systems and its major application. NIST SP 800-53, Revision 3, 13 states that\norganizations should \xe2\x80\x9cestablish a continuous monitoring strategy and implement a continuous\nmonitoring program that includes ongoing security control assessments.\xe2\x80\x9d According to the\nInformation System Security Manager (ISSM), IBWC did not have a continuous monitoring\nprogram because it did not have all the tools in place to create a continuous monitoring strategy.\n\n        (SBU) IBWC also did not perform ongoing vulnerability assessments of its SCADA\nsystems. NIST SP 800-53, Revision 3, 14 states that organizations should \xe2\x80\x9cestablish a continuous\nmonitoring strategy and implement a continuous monitoring program that includes ongoing\nsecurity control assessments.\xe2\x80\x9d In addition, [Redacted] (b) (5)\n                                                                          . NIST SP 800-53,\nRevision 3, states that an organization \xe2\x80\x9creviews and analyzes information system audit records\nfor indications of inappropriate or unusual activity.\xe2\x80\x9d According to IBWC officials, [Redacted]\n                                                                                    (b) (5)\n\n\n\n        (SBU) Without an established continuous monitoring strategy and implemented program\nto perform ongoing security control assessments, there is an increased risk that timely\nidentification and mitigation of threats and vulnerabilities could remain undetected leading to\npotential damage or disruption of IBWC information systems.\n\n        (SBU) Recommendation 4. OIG recommends that the Information Management\n        Division establish a continuous monitoring strategy and implement a continuous\n        monitoring program for all International Boundary and Water Commission information\n        systems, as required by National Institute of Standards and Technology (NIST) Special\n        Publication (SP) 800-53, Revision 3, and as outlined in NIST SP 800-137.\n\n        (SBU) Management Response: IBWC agreed with the recommendation, stating that it\n        had implemented a continuous monitoring solution to perform vulnerability scanning and\n        advanced risk assessment threats. IBWC further stated that it was in the process of hiring\n        personnel and issuing a contract for continuous monitoring services.\n\n        (U) OIG Analysis: OIG considers the recommendation resolved. This recommendation\n        can be closed when OIG reviews and accepts documentation or evidence showing that\n        IMD has established a continuous monitoring strategy and implemented a continuous\n        monitoring program for all IBWC information systems.\n\n\n13\n   (U) NIST SP 800-53, rev. 3, \xe2\x80\x9cCA-7 Continuous Monitoring.\xe2\x80\x9d\n14\n   (U) Ibid.\n15\n   (U) NIST SP 800-53, rev. 3, \xe2\x80\x9cAU-6 Audit Monitoring, Analysis, and Reporting.\xe2\x80\x9d\n                                              7\n                                 SENSITIVE BUT UNCLASSIFIED\n\x0c                                            SENSITIVE BUT UNCLASSIFIED\n\n\n         (U) Finding C. Physical and Environmental Protection\n                 (SBU) In FY 2011 and FY 2012, OIG reported that IBWC management had not\n         developed and implemented effective physical and environmental protection controls for IBWC\n         assets to include information systems. In FY 2013, OIG found that IBWC had made physical\n         protection improvements at the SBIWTP by installing new locks to the SCADA rooms to\n         prevent unauthorized access. Although IBWC had made improvements to physical protection,\n         OIG observed other security deficiencies.\n\n                  (SBU) IBWC had not developed a comprehensive policy and procedure for implementing\n         physical and environmental protection controls for IBWC assets. NIST SP 800-53, Revision 3, 16\n         states that an organization should develop formal, documented physical and environmental\n         protection policies and procedures to implement physical and environmental controls.\n\n                (SBU) SBIWTP had five gates: Gates 1, 2, and 5 provided access to the facility, and\n         Gates 3 and 4 provided access between the United States and Mexico. [Redacted] (b)\n        [Redacted] (b) (5), [Redacted] (b) (7)(F)                                          (5), [Redacted]\n                                                                                           (b) (7)(F)\n\n\n\n\n[Redacted] (b) (5), [Redacted] (b) (7)(F)\n\n\n\n\n         16\n            (U) NIST SP 800-53, rev. 3, \xe2\x80\x9cPE-1 Physical and Environmental Protection Policy and Procedures.\xe2\x80\x9d\n    [Reda [Redacted] (b) (5)\n    cted]                                                        8\n    (b)                                    SENSITIVE BUT UNCLASSIFIED\n    (5),\n    [Reda\n    cted]\n    (b) (7)\n    (F)\n\x0c                                    SENSITIVE BUT UNCLASSIFIED\n[Redacted] (b) (5), [Redacted] (b) (7)(F)\n\n\n\n\n        (SBU) IBWC had not maintained visitor access logs for areas where the information\nsystems reside in El Paso, Las Cruces, San Diego, and Nogales. NIST SP 800-53, Revision 3, 18\nstates an organization should maintain and review \xe2\x80\x9cvisitor access records to the facility where the\ninformation system resides.\xe2\x80\x9d In addition, SBIWTP access cards and remote controls lacked\nchain of custody and could not provide accountability for personnel who accessed the facility.\nOIG requested documentation demonstrating chain of custody for access cards and remote\ncontrols, but no documentation was provided. In addition, OIG asked the SBIWTP Plant\nSuperintendent to determine whether personnel accountability existed for access devices, and the\nSuperintendent stated that IBWC [Redacted] (b) (5), [Redacted] (b) (7)(F)\nThe Superintendent further stated that SBIWTP plans on ordering new access devices [Re\n[Redacted] (b) (5), [Redacted] (b) (7)(F)    NIST SP 800-53, Revision 3, 19 states thatdacan\n                                                                                        ted]\norganization should inventory physical access devices.                                  (b)\n                                                                                       (5),\n18\n                                                                                       [Re\n     (U) NIST SP 800-53, rev. 3, \xe2\x80\x9cPE-8 Access Records.\xe2\x80\x9d                                dac\n19\n     (U) NIST SP 800-53, rev. 3, \xe2\x80\x9cPE-3 Physical Access Control.\xe2\x80\x9d                       ted]\n                                                 9                                     (b)\n                                    SENSITIVE BUT UNCLASSIFIED                         (7)\n                                                                                       (F)\n\x0c                                        SENSITIVE BUT UNCLASSIFIED\n\n              (SBU) OIG observed security weaknesses present in IBWC\xe2\x80\x99s server rooms. 20\n[Redacted] (b) (5), [Redacted] (b) (7)(F)\n\n\n\n\n             (SBU) These conditions existed because IBWC management had focused resources on\n     maintaining mission critical operations and had not prioritized the development of a\n     comprehensive policy and procedure to establish and implement physical and environmental\n     protection controls for IBWC assets. Without physical and environmental protection controls,\n     IBWC assets are not receiving the organized attention required to prevent unauthorized access or\n     destruction, which could affect IBWC operations and result in an environmental incident.\n\n              (SBU) Recommendation 5. OIG recommends that the International Boundary and\n              Water Commission (IBWC) develop and implement policies and procedures for physical\n              and environmental protection controls for IBWC assets to include information systems at\n              headquarters and at each field office, in accordance with National Institute of Standards\n              and Technology (NIST) Special Publication (SP) 800-53, Revision 3, and NIST SP 800-\n              82.\n\n              (SBU) Management Response: IBWC agreed with the recommendation, stating that it\n              had developed and implemented a risk assessment policy and procedures to incorporate\n              required physical and environmental protection controls for IBWC assets, including all\n              information systems.\n\n              (U) OIG Analysis: OIG considers the recommendation resolved. This recommendation\n              can be closed when OIG reviews and accepts documentation or evidence showing that\n              the IBWC has developed and implemented policies and procedures for physical and\n              environmental protection controls for IBWC assets to include all of its information\n              systems.\n\n              (SBU) Recommendation 6. OIG recommends that the International Boundary and\n              Water Commission develop and implement [Redacted] (b) (5)\n                                                            as required by National Institute of\n              Standards and Technology Special Publication 800-53, Revision 3.\n\n\n\n\n     20\n        (U) OIG visited all seven server rooms at the following locations: one in El Paso, one in Nogales, four in San\n     Diego, and one in Las Cruces.\n     21\n        (U) NIST SP 800-53, rev. 3, \xe2\x80\x9cPE-13 Fire Protection.\xe2\x80\x9d\n     22\n        (U) NIST SP 800-53, rev. 3, \xe2\x80\x9cPE-3 Physical Access Control.\xe2\x80\x9d\n                                                    10\n                                        SENSITIVE BUT UNCLASSIFIED\n\x0c                                            SENSITIVE BUT UNCLASSIFIED\n\n        (SBU) Management Response: IBWC agreed with the recommendation, stating that it\n        had established policies and procedures to control access to proximity cards and remote\n        entrance devices.\n\n        (U) OIG Analysis: OIG considers the recommendation resolved. This recommendation\n        can be closed when OIG reviews and accepts documentation or evidence showing that\n        IBWC has established policies and procedures to control access to proximity cards and\n        remote entrance devices.\n\n(U) Finding D. Plan of Action and Milestones\n        (SBU) In FY 2011 and FY 2012, OIG reported that IBWC did not have an effective\nPOA&M process. In FY 2013, OIG found that POA&M entries were not fully completed. In\naddition, POA&Ms were included in IBWC\xe2\x80\x99s database for vulnerabilities that did not actually\nexist for its information systems. Finally, [Redacted] (b) (5)\n                                               NIST SP 800-64 states, \xe2\x80\x9cThe purpose of the\nPOA&M is to assist agencies in identifying, assessing, prioritizing, and monitoring the progress\nof corrective efforts for security weaknesses found in programs and systems.\xe2\x80\x9d\n\n        (SBU) IBWC had incomplete POA&Ms in its database. [Redacted] (b) (5)\n\nIBWC\xe2\x80\x99s POA&M Directive states, \xe2\x80\x9cActual dollars or staff hours needed to correct a weakness\nmust be identified as part of the initial corrective action plan in the \xe2\x80\x98Resources\xe2\x80\x99 and \xe2\x80\x98Man Hours\xe2\x80\x99\nfields of the POA&M.\xe2\x80\x9d The directive also states, \xe2\x80\x9cEach control/weakness must have at least one\ncorresponding milestone with an anticipated completion date.\xe2\x80\x9d POA&M entries were deficient\nof necessary elements because of an oversight by the ISSM.\n\n       (SBU) The ISSM erroneously entered 174 POA&Ms in IBWC\xe2\x80\x99s POA&M database.\nNIST SP 800-53, Revision 3, 24 states that an organization should develop POA&Ms \xe2\x80\x9cfor the\ninformation system to document the organization\xe2\x80\x99s planned remedial actions to correct\nweaknesses or deficiencies noted during the assessment of the security controls and to reduce or\neliminate known vulnerabilities in the system.\xe2\x80\x9d According to the ISSM, 174 POA&Ms were\nrecorded in the POA&M database based on information presented in a training class that he had\nattended; however, the 174 POA&Ms that he entered were not from supported security\nassessments.\n\n        (SBU) [Redacted] (b) (5)\n                                                      NIST SP 800-53, Revision 3, states that an\n                       [Redacted] (b) (5)\norganization should                         POA&Ms [Redacted] (b) (5)\n\n\n\n\n23\n   (U) NIST SP 800-64, Security Considerations in the System Development Life Cycle, Oct. 2008.\n24\n   (U) NIST SP 800-53, \xe2\x80\x9cCA-5 Plan of Action and Milestones.\xe2\x80\x9d\n25\n   (U) Ibid.\n                                                        11\n                                            SENSITIVE BUT UNCLASSIFIED\n\x0c                                          SENSITIVE BUT UNCLASSIFIED\n[Redacted] (b) (5)\n\n\n\n\n                (SBU) Recommendation 7. OIG recommends that the Information Management\n                Division update and implement its Plan of Action and Milestone Directive to include all\n                information systems, as required by National Institute of Standards and Technology\n                Special Publication 800-53, Revision 3.\n\n                (SBU) Management Response: IBWC agreed with the recommendation, stating that it\n                had begun updating the POA&M database.\n\n                (U) OIG Analysis: OIG considers the recommendation resolved. This recommendation\n                can be closed when OIG reviews and accepts documentation or evidence showing that\n                IBWC has updated its POA&M database.\n\n                (SBU) Recommendation 8. OIG recommends that the Information Management\n                Division update the Plan of Action and Milestone database [Redacted] (b) (5)\n\n                                               as stated in the International Boundary and Water\n                Commission Plan of Action and Milestone Directive for all information systems.\n\n                (SBU) Management Response: IBWC agreed with the recommendation, stating that it\n                had begun updating the POA&M database.\n\n                (U) OIG Analysis: OIG considers the recommendation resolved. This recommendation\n                can be closed when OIG reviews and accepts documentation or evidence showing that\n                IBWC has updated its POA&M database.\n\n        (U) Finding E. Security Capital Planning\n                (SBU) In FY 2011 and FY 2012, OIG reported that IBWC did not have an effective\n        capital planning process to include the completion of a business case/Exhibit 300/Exhibit 53.\n        NIST SP 800-65 26 states the following:\n\n        26\n          (U) NIST SP 800-65, Integrating IT Security into the Capital Planning and Investment Control Process,\n        \xe2\x80\x9cExecutive Summary,\xe2\x80\x9d Jan. 2005.\n                                                      12\n                                          SENSITIVE BUT UNCLASSIFIED\n\x0c                                 SENSITIVE BUT UNCLASSIFIED\n\n        (U) [FISMA] requires agencies to integrate IT security into their capital planning\n        and enterprise architecture processes, conduct annual IT security reviews of all\n        programs and systems, and report the results of those reviews to the OMB.\n        Therefore, the implementation of FISMA legislation effectively integrates IT\n        security and capital planning because agencies must document resource and\n        funding plans for IT security. Furthermore, implementation of FISMA legislation\n        is intended to ensure that agency resources are protected and risk is effectively\n        managed. The legislation requires that agencies incorporate IT security into the\n        life cycle of their information systems.\n\n         (SBU) In FY 2013, OIG found that IBWC did not have an effective capital planning\nprocess for its information systems. Specifically, IBWC did not complete a business\ncase/Exhibit 300/Exhibit 53. NIST SP 800-53, Revision 3, 27 states that organizations should\n\xe2\x80\x9cdetermine, document, and allocate the resources required to protect their information systems as\npart of its capital planning and investment control process.\xe2\x80\x9d NIST SP 800-53, Revision 3, 28 also\nstates that an \xe2\x80\x9corganization employs a business case/Exhibit 300/Exhibit 53 to record the\nresources required.\xe2\x80\x9d\n\n        (SBU) According to the IBWC Chief Administrative Officer, IBWC had not completed\nsecurity capital planning because they were not required to complete security capital planning\nbased on interpretation of OMB Circular A-11. 29 OMB Circular A-11 lists the legislative and\njudicial branches and specific executive branch agencies, along with certain Government-\nsponsored enterprises, as being exempt from submitting capital planning documentation.\nHowever, OMB Circular A-11 does not identify IBWC as exempt. In addition, IBWC had not\ncompleted security capital planning because the resource requirement for all POA&Ms, which\nhelps calculate budgetary needs for its information system components, did not always exist.\nFinally, IBWC could not determine its information system inventory to quantify security capital\nfunding needs. Without an effective security capital planning process, IBWC management will\nbe unable to prioritize and remediate security weaknesses and vulnerabilities and perform\nequipment upgrades to support business operations.\n\n        (U) Recommendation 9. OIG recommends that the International Boundary and Water\n        Commission complete a business case/Exhibit 300/Exhibit 53 to obtain the resources\n        required to protect its information systems, as required by National Institute of Standards\n        and Technology Special Publication 800-65.\n\n        (U) Management Response: IBWC agreed with the recommendation, stating that all of\n        its IT assets have been inventoried and that it will continue to maintain the inventories\n        along with associated costs.\n\n\n\n\n27\n   (U) NIST SP 800-53, rev. 3, \xe2\x80\x9cSA-2 Allocation of Resources.\xe2\x80\x9d\n28\n   (U) NIST SP 800-53, rev. 3, \xe2\x80\x9cPM-3 Information Security Resources.\xe2\x80\x9d\n29\n   (U) OMB Circular A-11 Part 2, Preparation and Submission of Budget Estimates, Aug. 2012.\n                                             13\n                                 SENSITIVE BUT UNCLASSIFIED\n\x0c                                 SENSITIVE BUT UNCLASSIFIED\n\n        (U) OIG Analysis: OIG considers the recommendation closed. Subsequent to audit\n        fieldwork, IBWC provided documentation showing that OMB had confirmed that the\n        requirement to complete a business case was not applicable to smaller agencies.\n\n(U) Finding F. Contingency Planning\n        (SBU) In FY 2011 and FY 2012, OIG reported that IBWC did not have an effective\ncontingency planning program. In FY 2013, OIG found that IBWC did not have a Business\nImpact Analysis (BIA), Business Continuity Plan (BCP), Disaster Recovery Plan (DRP), and a\nContinuity of Operations Plan (COOP). A BIA identifies and prioritizes information systems\nand components critical to supporting the organization\xe2\x80\x99s mission. A BCP provides procedures\nfor sustaining business operations while recovering from a significant disruption. A DRP\nprovides procedures for relocating information system operations to an alternate location. A\nCOOP provides procedures to sustain an organization\xe2\x80\x99s mission-essential functions at an\nalternate site for up to 30 days. NIST SP 800-34, Revision 1, 30 states that \xe2\x80\x9ccontingency planning\nrefers to interim measures to recover information system services after a disruption. Interim\nmeasures may include relocation of information systems and operations to an alternate site,\nrecovery of information system functions using alternate equipment, or performance of\ninformation system functions using manual methods.\xe2\x80\x9d\n\n         (SBU) Although IBWC had developed the capability to virtually access a server at its\nalternate processing site in Las Cruces in FY 2013, it had not addressed many of the critical\ncontingency planning components. Specifically, IBWC had not conducted a BIA, BCP, DRP,\nand a COOP. NIST SP 800-34, Revision 1, 31 states that an organization should \xe2\x80\x9cdevelop a\ncontingency planning policy statement, conduct a business impact analysis, identify preventive\ncontrols, create contingency strategies, develop an information system contingency plan, ensure\nplan testing, training, exercises, and ensure plan maintenance.\xe2\x80\x9d NIST SP 800-53, Revision 3, 32\ndefines the requirements of an organization to develop and maintain planning policies,\nprocedures, and contingency plans. IBWC\xe2\x80\x99s IMD chose to focus on daily operations instead of\ndevoting resources to developing contingency planning documents for its information systems.\nWithout an effective contingency planning program, IBWC is at risk of not being able to access\ncritical information and maintain business functions during an extended outage or disaster.\n\n        (SBU) Recommendation 10. OIG recommends that the International Boundary and\n        Water Commission prioritize resources to complete contingency planning documents for\n        all information systems, as required by National Institute of Standards and Technology\n        (NIST) Special Publication (SP) 800-53, Revision 3, and NIST SP 800-34, Revision 1.\n\n        (SBU) Management Response: IBWC agreed with the recommendation, stating that it\n        had begun its BIA for the GSS, which will support its BCP and COOP documentation.\n\n\n30\n   (U) NIST SP 800-34, rev. 1, Contingency Planning Guide for Federal Information Systems, \xe2\x80\x9cExecutive\nSummary,\xe2\x80\x9d May 2010.\n31\n   (U) Ibid.\n32\n   (U) NIST SP 800-53, rev. 3, \xe2\x80\x9cCP-1 Contingency Planning Policy and Procedures\xe2\x80\x9d and \xe2\x80\x9cCP-2 Contingency Plan.\xe2\x80\x9d\n                                             14\n                                 SENSITIVE BUT UNCLASSIFIED\n\x0c                                 SENSITIVE BUT UNCLASSIFIED\n\n        (U) OIG Analysis: OIG considers the recommendation resolved. This recommendation\n        can be closed when OIG reviews and accepts documentation or evidence showing that\n        IBWC has completed contingency planning documents for all information systems.\n\n(U) Finding G. Incident Response and Reporting\n       (SBU) OIG first reported in FY 2012 that the IBWC did not have effective incident\nresponse and reporting. In FY 2013, OIG found that IBWC management had not approved and\nimplemented its Incident Response Policy, correlated incidents for its GSS, and performed\nincident response for its SCADA systems. According to NIST SP 800-61, Revision 2, 33\n\xe2\x80\x9cincident response capability is necessary for rapidly detecting incidents, minimizing loss and\ndestruction, mitigating the exploited weaknesses, and restoring (IT) services.\xe2\x80\x9d\n\n         (SBU) IBWC had a draft Incident Response Policy. NIST SP 800-53, Revision 3, 34\nstates that an organization, \xe2\x80\x9cdevelop an incident response plan that is reviewed and approved by\ndesignated officials within the organization.\xe2\x80\x9d IBWC\xe2\x80\x99s Incident Response Policy remained in\ndraft because IBWC management had not prioritized review and approval of its policy to ensure\nthe inclusion of all IBWC information systems.\n\n       (SBU) Incident Response for computer security incidents did not exist for the IBWC\xe2\x80\x99s\nSCADA systems. NIST SP 800-53, Revision 3, 35 requires an organization to \xe2\x80\x9cimplement an\nincident handling capability for security incidents that includes preparation, detection and\nanalysis, containment, eradication, and recovery.\xe2\x80\x9d Incident response had not occurred for the\nSCADA systems because IBWC did not have the resources and expertise.\n\n        (SBU) IBWC did not correlate incidents identified through vulnerability scans with its\nincident response and reporting for its GSS. NIST SP 800-53, Revision 3,36 requires that an\norganization correlate incident information and individual incident responses to achieve an\norganization-wide perspective on incident awareness and response. IBWC did not correlate\nincidents for its GSS because the Information System Security Officer had not enabled and tested\nthe correlation capability of its vulnerability scanning software.\n\n       (SBU) Without effective incident response and reporting, IBWC does not have the\nnecessary capability for rapidly detecting incidents, minimizing loss and destruction, mitigating\nexploited weaknesses, and restoring IT services for its information systems.\n\n        (SBU) Recommendation 11. OIG recommends that the International Boundary and\n        Water Commission update, approve, and implement an incident response and reporting\n        policy, to include the correlation of incidents for all information systems, as required by\n\n\n33\n   (U) NIST SP 800-61, rev. 2, Computer Security Incident Handling Guide, \xe2\x80\x9cExecutive Summary,\xe2\x80\x9d Aug. 2012.\n34\n   (U) NIST SP 800-53, rev. 3, \xe2\x80\x9cIR-8 Incident Response Plan.\xe2\x80\x9d\n35\n   (U) NIST SP 800-53, rev. 3, \xe2\x80\x9cIR-4 Incident Handling.\xe2\x80\x9d\n36\n   (U) Ibid.\n                                             15\n                                 SENSITIVE BUT UNCLASSIFIED\n\x0c                                         SENSITIVE BUT UNCLASSIFIED\n\n                 National Institute of Standards and Technology (NIST) Special Publication (SP) 800-53,\n                 Revision 3, and NIST SP 800-61, Revision 2.\n\n                 (SBU) Management Response: IBWC agreed with the recommendation, stating that its\n                 Incident and Response Reporting directive is finalized and currently under review by the\n                 union.\n\n                 (U) OIG Analysis: OIG considers the recommendation resolved. This recommendation\n                 can be closed when OIG reviews and accepts documentation or evidence showing that\n                 the IBWC has established, approved, and implemented an Incident and Response\n                 Reporting Directive that includes the correlation of incidents for all information systems.\n\n        (U) Finding H. Configuration Management\n                 (SBU) In FY 2011 and FY 2012, OIG reported that IBWC did not have an effective\n        configuration management process. In FY 2013, OIG found that IBWC applied untested\n        changes to a critical information system and excluded change management for another critical\n        information system. NIST SP 800-128 37 defines Configuration Management as \xe2\x80\x9ca collection of\n        activities focused on establishing and maintaining the integrity of products and systems, through\n        control of the processes for initializing, changing, and monitoring the configurations of those\n        products and systems.\xe2\x80\x9d\n[Redacted] (b) (5)\n\n\n\n\n                (SBU) IBWC did not perform change management for its SCADA systems. NIST SP\n        800-82 38 states that the \xe2\x80\x9cchange management process, when applied to the Industrial Control\n        System (ICS), requires careful assessment by ICS experts working in conjunction with security\n        and information technology personnel.\xe2\x80\x9d NIST SP 800-82 39 also states, \xe2\x80\x9cA formal change\n        management program should be established and procedures used to insure that all modifications\n        to an ICS network meet the same security requirements as the original components identified in\n        the asset evaluation and the associated risk assessment and mitigation plans.\xe2\x80\x9d Change\n        management did not occur for the SCADA systems because IBWC did not have the resources\n        and expertise to perform change management of the SCADA systems. Without implementing\n        changes to its information systems, IBWC leaves its systems vulnerable to a denial of service\n        and the potential introduction of security weaknesses.\n\n\n\n        37\n           (U) NIST SP 800-128, Guide for Security-Focused Configuration Management of Information Systems, sec. 2.1.1,\n        Aug. 2011.\n        38\n           (U) NIST SP 800-82, sec. 3.1, \xe2\x80\x9cChange Management.\xe2\x80\x9d\n        39\n           (U) NIST SP 800-82, sec. 6.2.4, \xe2\x80\x9cICS Specific Recommendations and Guidance.\xe2\x80\x9d\n                                                     16\n                                         SENSITIVE BUT UNCLASSIFIED\n\x0c                                   SENSITIVE BUT UNCLASSIFIED\n\n         (SBU) Recommendation 12. OIG recommends that the International Boundary and\n         Water Commission (IBWC) implement testing of all changes to its information systems,\n         as required by the IBWC Configuration Management Directive and National Institute of\n         Standards and Technology Special Publication 800-53, Revision 3.\n\n         (SBU) Management Response: IBWC agreed with the recommendation, stating that it\n         had acquired resources and hardware to implement a virtual testing environment for all\n         changes to its information systems.\n\n        (U) OIG Analysis: OIG considers the recommendation resolved. This recommendation\n        can be closed when OIG reviews and accepts documentation or evidence showing that all\n        changes made to the IBWC information systems are tested prior to installation.\n\n         (SBU) Recommendation 13. OIG recommends that the International Boundary and\n         Water Commission update and implement its configuration management policy to\n         include change management of Supervisory Control and Data Acquisition systems as\n         required by National Institute of Standards and Technology Special Publication 800-82.\n\n         (SBU) Management Response: IBWC agreed with the recommendation, stating that a\n         contract is being issued to conduct risk assessments of its SCADA systems, which\n         includes development of configuration management policy.\n\n         (U) OIG Analysis: OIG considers the recommendation resolved. This recommendation\n         can be closed when OIG reviews and accepts documentation or evidence showing that\n         IBWC has developed a configuration management policy for its SCADA systems.\n\n(U) Finding I. Security Training\n        (SBU) In FY 2011 and FY 2012, OIG reported that IBWC did not have an effective\nsecurity training program. In FY 2013, OIG found that IBWC employees were not required to\ntake initial security training before gaining access to IBWC information systems. NIST SP\n800-16 40 states, \xe2\x80\x9cFederal agencies and organizations cannot protect the integrity, confidentiality,\nand availability of information in today\xe2\x80\x99s highly networked systems environment without\nensuring that each person involved understands their roles and responsibilities and is adequately\ntrained to perform them.\xe2\x80\x9d\n\n        (SBU) OIG observed that all IBWC employees and contractors had completed their\nsecurity awareness training for 2012. 41 However, employees were able to gain access to IBWC\nsystems without taking initial security training. NIST SP 800-53, Revision 3, 42 states that the\n\xe2\x80\x9corganization provide basic security awareness training to all information system users\n(including managers, senior executives, and contractors) as part of initial training for new users.\xe2\x80\x9d\n\n40\n   (U) NIST 800-16, Information Technology Security Training Requirements, sec. 1.1, Apr. 1998.\n41\n   (U) IBWC conducts security awareness training on a calendar year basis instead of a fiscal year basis.\n42\n   (U) NIST SP 800-53, rev. 3, \xe2\x80\x9cAT-2 Security Awareness.\xe2\x80\x9d\n                                               17\n                                   SENSITIVE BUT UNCLASSIFIED\n\x0c                                 SENSITIVE BUT UNCLASSIFIED\n\nNIST SP 800-53, Revision 3, 43 also states that the \xe2\x80\x9corganization provides role-based security-\nrelated training before authorizing access to the system.\xe2\x80\x9d Employees gained access to IBWC\ninformation systems without initial security training because IMD granted network access to new\nemployees without requiring employees to complete and provide documentation that initial\nsecurity awareness training had occurred. Without proper IT security training, personnel may be\nunaware of risks that may compromise the confidentiality, integrity, and availability of the data\nresiding on IBWC\xe2\x80\x99s information systems.\n\n        (SBU) Recommendation 14. OIG recommends that the Information Management\n        Division ensure all new employees receive security awareness training before authorizing\n        access to the network, as required by National Institute of Standards and Technology\n        Special Publication 800-53, Revision 3.\n\n        (SBU) Management Response: IBWC agreed with the recommendation, stating that\n        IMD requires all new employees to complete security awareness training within 5 days of\n        arrival and prior to obtaining network access.\n\n        (U) OIG Analysis: OIG considers the recommendation resolved. This recommendation\n        can be closed when OIG reviews and accepts documentation or evidence showing that all\n        new employees have been required to complete security awareness training within 5 days\n        of their arrival and prior to obtaining network access.\n\n(U) Finding J. Remote Access Management\n\n        (SBU) In FY 2011 and FY 2012, OIG reported that IBWC did not have an approved\naccess control policy and effective remote access controls in place. Remote access occurs when\na user (or a process acting on behalf of a user) gains access to an organizational information\nsystem by communicating through an external network. In FY 2013, OIG observed the\nfollowing weaknesses for remote access management.\n\n         (SBU) IBWC had not finalized and implemented an access control policy, a precursor to\nhaving effective remote access management. NIST SP 800-53, Revision 3, 44 states that an\n\xe2\x80\x9corganization develops, disseminates, and reviews\xe2\x80\x9d a formal documented access control policy\nto facilitate the implementation of access controls. The Commissioner had not approved\nIBWC\xe2\x80\x99s Access Control Policy, which contained a section on remote access, because the local\nemployee union was still reviewing the policy.\n\n        (SBU) IBWC did not require unique identification and authentication of users when\nlogging on to IBWC\xe2\x80\x99s Virtual Private Network (VPN). NIST SP 800-53, Revision 3, 45 states,\n\xe2\x80\x9cThe information system uniquely identifies and authenticates organizational users (or processes\nacting on behalf of organizational users).\xe2\x80\x9d [Redacted] (b) (5)\n\n43\n   (U) NIST SP 800-53, rev. 3, \xe2\x80\x9cAT-3 Security Training.\xe2\x80\x9d\n44\n   (U) NIST SP 800-53, rev. 3, \xe2\x80\x9cAC-1 Access Control Policy and Procedures.\xe2\x80\x9d\n45\n   (U) NIST SP 800-53, rev. 3, \xe2\x80\x9cIA-2 Identification and Authentication.\xe2\x80\x9d\n                                             18\n                                 SENSITIVE BUT UNCLASSIFIED\n\x0c                                        SENSITIVE BUT UNCLASSIFIED\n[Redacted] (b) (5)\n\n\n\n\n           (SBU) None of the 55 IBWC remote access/VPN users had completed a telework\n    agreement. The IBWC Telework Directive, dated April 24, 2012, states, \xe2\x80\x9cEvery request for a\n    telework arrangement must be requested using the Telework Agreement Application, IBWC\n    Form 350 and routed through the employee\'s chain of command and to approving authority. All\n    approved telework agreements are to be forwarded through the Human Resources Office for\n    review and concurrence.\xe2\x80\x9d IMD had not implemented its telework directive to require all\n    personnel with remote access complete a telework agreement because it did not prioritize limited\n    resources to produce telework agreements.\n\n             (SBU) Without taking measures to implement controls for remote access, unauthorized\n    activities can occur without timely detection, which could affect the confidentiality, integrity,\n    and availability of IBWC data. Inadequate remote access controls increases the risk of\n    compromised accounts performing unauthorized activities on IBWC\xe2\x80\x99s information systems.\n\n               (SBU) Recommendation 15. OIG recommends that the Information Management\n               Division finalize and implement its access control policy, which includes remote access,\n               as required by National Institute of Standards and Technology Special Publication 800-\n               53, Revision 3.\n\n               (SBU) Management Response: IBWC agreed with the recommendation, stating that it\n               had finalized and implemented its access control policy.\n\n               (U) OIG Analysis: OIG considers the recommendation resolved. This recommendation\n               can be closed when OIG reviews and accepts documentation or evidence showing that the\n               IBWC access control policy has been updated and finalized to include remote access\n               requirements.\n    [Redacted] (b) (5)\n\n\n\n\n    46\n         (U) OMB M-06-16, Protection of Agency Sensitive Information, June 2006.\n\n                                                    19\n                                        SENSITIVE BUT UNCLASSIFIED\n\x0c                                     SENSITIVE BUT UNCLASSIFIED\n     [Redacted] (b) (5)\n\n\n\n\n           (U) OIG Analysis: OIG considers the recommendation resolved. This recommendation\n           can be closed when OIG reviews and accepts documentation or evidence [Redacted]\n                                                                                  (b) (5)\n\n\n           identification of users.\n\n           (SBU) Recommendation 17. OIG recommends that the International Boundary and\n           Water Commission (IBWC) ensure all employees that require remote access capabilities\n           for telework complete telework agreements and obtain appropriate approval, as required\n           by IBWC\xe2\x80\x99s Telework Directive.\n\n           (SBU) Management Response: IBWC agreed with the recommendation, stating that the\n           Telework Directive was being updated to include and document mobile workforce\n           requirements. IBWC further stated that telework agreements were being completed by\n           existing mobile workforce employees and should be in place by the end of 2013.\n\n           (U) OIG Analysis: OIG considers the recommendation resolved. This recommendation\n           can be closed when OIG reviews and accepts documentation or evidence showing that\n           IBWC has updated its Telework Directive to include mobile workforce requirements and\n           that IBWC\xe2\x80\x99s documented telework agreements are in place for existing mobile personnel\n           by the end of 2013.\n\n(U) Finding K. Identity and Access Management\n        (SBU) OIG first reported in FY 2012 that IBWC did not have effective identity and\naccess management for its information systems. In FY 2013, OIG found that IBWC employees\ndid not utilize their Personal Identity Verification (PIV) cards to satisfy multifactor\nauthentication requirements. PIV cards are identification cards that the Government issues to\nemployees and contractors to allow authorized users physical and logical access. PIV cards are\nnot issued until the authorizing agency has determined sound criteria for verifying an employee\xe2\x80\x99s\nidentity. The full implementation of PIV cards would help IBWC meet two of three multifactor\nauthentication requirements because an individual must \xe2\x80\x9chave\xe2\x80\x9d a physical PIV card and must\n\xe2\x80\x9cknow\xe2\x80\x9d the card\xe2\x80\x99s Personal Identification Number (PIN) in order to gain physical and logical\naccess.\n\n        (SBU) Although OIG found that IBWC had begun to implement the use of PIV cards, not\nall employees were utilizing their PIV cards. [Redacted] (b) (5)\n                                                                          NIST SP 800-53,\nRevision 3, states that privileged and non-privileged accounts use multifactor authentication to\naccess information systems. According to the ISSM, IBWC had not procured PIV card readers\n\n47\n     (U) NIST SP 800-53, rev. 3, \xe2\x80\x9cIA-2 Identification and Authentication.\xe2\x80\x9d\n                                                 20\n                                     SENSITIVE BUT UNCLASSIFIED\n\x0c                                 SENSITIVE BUT UNCLASSIFIED\n\nfor all employees, the network client software had prevented PIV process implementation, and in\nsome cases, employees had forgotten their PINs, which prevented IBWC personnel from using\ntheir PIV cards to logically access the system. Without multifactor authentication, compromised\nusers\xe2\x80\x99 identities could gain unauthorized access to sensitive information, resulting in data\nmanipulation.\n\n        (SBU) Recommendation 18. OIG recommends that the International Boundary and\n        Water Commission identify and implement a multifactor authentication solution, to\n        include a process for resetting employee Personal Identification Numbers, for logical\n        access to information systems, as required by National Institute of Standards and\n        Technology Special Publication 800-53, Revision 3.\n\n        (SBU) Management Response: IBWC agreed with the recommendation, stating that a\n        two-factor authentication solution has been implemented and that the Personnel Security\n        Policy was being updated to include procedures for resetting employee PIN for logical\n        access to information systems.\n\n        (U) OIG Analysis: OIG considers the recommendation resolved. This recommendation\n        can be closed when OIG reviews and accepts documentation or evidence showing that a\n        two-factor authentication solution has been implemented and that procedures have been\n        established for resetting employees PINs for logical access to information systems.\n\n(U) Finding L. Contractor Systems\n\n        (SBU) In FY 2011 and FY 2012, OIG reported that IBWC had not implemented an\neffective oversight program for its contractor system. In FY 2013, OIG found that IBWC had\nnot implemented a policy for oversight of its contractor-operated system. In addition, IBWC\xe2\x80\x99s\ncontractor-operated system in San Diego was not compliant with contract terms and FISMA\nrequirements. Finally, three contractors at SBIWTP had not obtained their PIV cards. OMB\nMemorandum M-12-20 48 states, \xe2\x80\x9cAgencies are fully responsible and accountable for ensuring all\n[FISMA] and related policy requirements are implemented and reviewed and such must be\nincluded in the terms of the contract.\xe2\x80\x9d\n\n        (SBU) IBWC had not fully implemented an effective oversight program that included a\npolicy for oversight of its contractor-operated system. According to FISMA Section 3544, 49\nagencies should implement policies and procedures to reduce risks for systems operated by the\nagency or a contractor. In addition, OIG found that the contractors lacked compliance with\nFISMA and the contract that IBWC produced for the operation of its SCADA system in San\nDiego. [Redacted] (b) (5)\n                                                                          . In addition, the\ncontractors purchased equipment without the review and approval from IMD. The Amendment\n\n48\n   (U) OMB M-12-20, FY 2012 Reporting Instructions for the Federal Information Security Management Act and\nAgency Privacy Management, Oct. 2, 2012.\n49\n   (U) FISMA, Title III-Information Security, sec. 3544.\n                                             21\n                                 SENSITIVE BUT UNCLASSIFIED\n\x0c                                  SENSITIVE BUT UNCLASSIFIED\n\nof Solicitation/Modification of Contract M027 between the IBWC and Veolia Water West\nOperating Services, dated April 24, 2012, states that the contractor shall achieve required\ncompliance with FISMA for both the Supervisory Control and Data Acquisition network and the\nVeolia network at the SBIWTP. The contract modification also states, \xe2\x80\x9cprior to purchase all\nfuture IT software and hardware items for the SBIWTP shall be submitted to the IMD at IBWC\nfor review and approval.\xe2\x80\x9d\n\n         (SBU) Further, three of 21 adjudicated contractors had not received their PIV cards at the\nSBIWTP. Homeland Security Presidential Directive 12 50 states that agencies shall require\ncontractors to use identification in gaining physical and logical access to federally controlled\nfacilities and information systems.\n\n         (SBU) An effective contractor oversight program did not exist because the appointment\nletter for the contracting officer\xe2\x80\x99s representative (COR) had not addressed FISMA compliance\nand oversight of the SBIWTP information system. The COR believed that IMD was responsible\nfor oversight of the IT assets. Ultimately, there was confusion on the COR responsibility to\nensure FISMA compliance as the appointment letter 51 states that the COR will \xe2\x80\x9c[m]onitor the\ncontractor\'s performance in accordance with the Government\xe2\x80\x99s Quality Assurance Surveillance\nPlan, notify the contractor of deficiencies observed during surveillance and direct appropriate\naction to effect correction.\xe2\x80\x9d\n\n       (SBU) Without proper contractor oversight, IBWC has minimal assurance that contractor\npersonnel and operations are compliant with the contract, FISMA, and OMB requirements. In\naddition, there is an increased risk that data collected, processed, and maintained is exposed to\nunauthorized access, use, disclosure, disruption, modification, or destruction. Finally, IBWC\ncould pay for unnecessary contractor services and products.\n\n        (SBU) Recommendation 19. OIG recommends that the International Boundary and\n        Water Commission develop and implement a program to include policy for information\n        security oversight of contractors, as required by the Federal Information Security\n        Management Act Title III, Section 3544.\n\n        (SBU) Management Response: IBWC agreed with the recommendation, stating that\n        policy was being developed for information security oversight of contractors.\n\n        (U) OIG Analysis: OIG considers the recommendation resolved. This recommendation\n        can be closed when OIG reviews and accepts documentation or evidence showing that\n        policy has been developed for information security oversight of contractors.\n\n        (SBU) Recommendation 20. OIG recommends that the International Boundary and\n        Water Commission ensure that its Information Management Division is responsible for\n        the oversight of information technology assets purchased and maintained by the\n50\n   (U) Homeland Security Presidential Directive 12, Policy for a Common Identification Standard for Federal\nEmployees and Contractors, Aug. 27, 2004.\n51\n    (U) A COR was appointed by the contracting officer on Sept. 30, 2010.\n                                              22\n                                  SENSITIVE BUT UNCLASSIFIED\n\x0c                     SENSITIVE BUT UNCLASSIFIED\n\ncontractor in support of operations at the South Bay International Wastewater Treatment\nPlant, as required by the National Institute of Standards and Technology (NIST) Special\nPublication (SP) 800-53, Revision 3, and NIST SP 800-82.\n\n(SBU) Management Response: IBWC agreed with the recommendation, stating that it\nhad issued a contract modification to notify the contractor of IBWC\xe2\x80\x99s oversight\nrequirements.\n\n(U) OIG Analysis: OIG considers the recommendation resolved. This recommendation\ncan be closed when OIG reviews and accepts documentation or evidence showing that\nIBWC has issued a contract modification to notify the contractor of IBWC\xe2\x80\x99s oversight\nrequirements.\n\n(SBU) Recommendation 21. OIG recommends that the International Boundary and\nWater Commission review and update the appointment letter of the existing contracting\nofficer\xe2\x80\x99s representative at South Bay International Wastewater Treatment Plant to include\nresponsibilities for implementing Federal Information Security Management Act\n(FISMA) compliance for information system assets or appoint another individual the\nduties for overseeing the FISMA compliance for information system assets.\n\n(SBU) Management Response: IBWC agreed with the recommendation, stating that the\nappointment letter of the existing COR at SBIWTP was being amended to include\nadditional responsibilities related to FISMA compliance. IBWC further stated that an\nappointment letter was also issued to assign the ISSM full responsibility over FISMA\ncompliance.\n\n(U) OIG Analysis: OIG considers the recommendation resolved. This recommendation\ncan be closed when OIG reviews and accepts documentation or evidence showing that\nthe appointment letter of the existing COR at SBIWTP is amended to include additional\nresponsibilities related to FISMA compliance and that an appointment letter has been\nissued to assign the ISSM full responsibility over FISMA compliance.\n\n(SBU) Recommendation 22. OIG recommends that the International Boundary and\nWater Commission (IBWC) ensure its Information Management Division reviews and\napproves software prior to installation on IBWC assets, as required by The Amendment\nof Solicitation/Modification of Contract M027.\n\n(SBU) Management Response: IBWC agreed with the recommendation, stating that the\ncontractor is required to notify IMD of all planned IT purchases and that IMD will review\nall purchase requests as required.\n\n(U) OIG Analysis: OIG considers the recommendation resolved. This recommendation\ncan be closed when OIG reviews and accepts documentation or evidence showing that\ncontractors have notified IMD of all IT purchases and that IMD has reviewed and\napproved the use of such software prior to its purchase and installation.\n                                 23\n                     SENSITIVE BUT UNCLASSIFIED\n\x0c                                  SENSITIVE BUT UNCLASSIFIED\n\n\n(U) Finding M. Personnel Security\n        (SBU) In FY 2011 and FY 2012, OIG reported that IBWC had not properly performed\nbackground screening for employees and contractors prior to granting them access to information\nsystems and physical assets of both IBWC and the Department. IBWC had employees that were\nOpenNet users that worked in a variety of functions in support of IBWC operations such as\nbudget, acquisitions, and finance. IBWC employees often need OpenNet accounts to gain access\nto the Global Financial Management System and Integrated Logistics Management System.\nFurther, the onsite IMD system administrator was responsible for submitting account requests\nand termination information to the Department. NIST SP 800-12 52 states that \xe2\x80\x9cbackground\nscreening helps determine whether a particular individual is suitable for a given position.\xe2\x80\x9d\nIBWC made progress in addressing previously identified deficiencies regarding suitability\nscreenings for some employees and contractors, particularly background screening for all\nemployees designated as high-risk positions within the IMD. However, OIG identified the\nfollowing deficiencies in FY 2013.\n\n         (SBU) OIG identified 35 of 69 53 IBWC employees, designated as requiring an\ninvestigation higher than the standard National Agency Check and Inquiries. OIG found that\nthese 35 employees had not had their investigations upgraded to meet the requirements in the\nIBWC Personnel Security and Suitability Directive. Specifically, within those 35 employees,\nOIG identified 13 of 14 Area Operation Managers or Assistant Area Operation Managers that did\nnot have a Background Investigation performed. Area Operations Managers are located at each\nof the IBWC field operations and at times may be required to perform IT duties. In addition, two\nattorneys within the IBWC Office of General Counsel did not have the required single scope\nbackground investigation. IBWC Personnel Security and Suitability Directive requires, High\nRisk positions must have a Background Investigation performed. In addition, the directive\nstates, "Investigations for Critical-Sensitive, Special-Sensitive, Moderate and High Risk\npositions, must be conducted pre-placement, unless a waiver is authorized." Background\ninvestigations did not occur because IBWC position descriptions did not properly incorporate the\nrisk designation appropriate for the position, nor did the position descriptions specify the\nrequirement to maintain an appropriate clearance level or state that the position required a\nbackground investigation. In addition, the IBWC Office of General Counsel advised the\nsuspension of background screenings until the upgraded position descriptions are completed to\nreflect these requirements.\n\n       (SBU) OIG identified 36 of 47 54 IBWC OpenNet users who were not in compliance with\nthe memorandum that the Bureau of Diplomatic Security, Security Infrastructure, Computer\nSecurity, sent to the Bureau of Resource Management, Deputy Chief Financial Officer, Global\nFinancial Management System, dated August 2012, regarding OpenNet extensions at IBWC.\nThe August 2012 memorandum regarding \xe2\x80\x9cAnnual Renewal of the OpenNet Extension at\nUSIBWC Headquarters in El Paso, Texas,\xe2\x80\x9d states the following:\n\n52\n   (U) NIST SP 800-12, An Introduction to Computer Security: The NIST Handbook, sec. 10.1.3, Oct. 1995.\n53\n   (U) OIG identified a total population of 69 IBWC employees that were designated as high-risk positions.\n54\n   (U) OIG identified a total population of 47 OpenNet users working at IBWC.\n                                              24\n                                  SENSITIVE BUT UNCLASSIFIED\n\x0c                                     SENSITIVE BUT UNCLASSIFIED\n\n\n\n           (U) All [U.S. Section ] IBWC personnel that have unescorted physical and/or\n           logical access to OpenNet must have, at a minimum, a Moderate Risk Public\n           Trust certification (MRPT) on file with Diplomatic Security/Security\n           Infrastructure/Office of Personnel Security and Suitability (DS/SI/PSS).\n           USIBWC personnel security clearances must be passed to DS/SI/PSS and must be\n           entered into the DS/SI/PSS database before granting access.\n\n        (SBU) IBWC OpenNet users did not comply with the memorandum because the Bureau\nof Diplomatic Security had not verified completion of required IBWC background screenings\nprior to granting IBWC employees\xe2\x80\x99 access to OpenNet. Further, the Bureau of Resource\nManagement did not ensure compliance with the requirements of the August 2012 memorandum\nfrom Diplomatic Security/Security Infrastructure/Computer Security concerning the \xe2\x80\x9cAnnual\nRenewal of the OpenNet Extension at USIBWC Headquarters in El Paso, Texas.\xe2\x80\x9d Finally,\naccording to IBWC management, the Bureau of Resource Management had not provided a copy\nof the Memorandum to IBWC to inform them of OpenNet extension compliance requirements.\n\n       (SBU) OIG found that one of 22 55 contractors at the SBIWTP had not completed the\nadjudication process to determine suitability, even though OIG had identified this deficiency in\nFY 2012. IBWC\xe2\x80\x99s Personnel Security and Suitability Directive states that the COR\xe2\x80\x99s\nresponsibilities include \xe2\x80\x9c[e]nsuring compliance with all investigation and reinvestigation\nrequirements for contractor staff.\xe2\x80\x9d The contractor had not completed the process because the\nCOR did not perform duties as required by the IBWC Personnel Security and Suitability\nDirective.\n\n       (SBU) Without full background investigations for employees, followed by adjudication\nand subsequent clearance, there is increased risk that individuals could gain inappropriate access\nto IBWC IT and physical assets. This security weakness could also affect the Department\nbecause IBWC employees would be granted access to OpenNet, a Department IT asset, without\nappropriate clearance levels.\n\n           (SBU) Recommendation 23. OIG recommends that the International Boundary and\n           Water Commission update position descriptions that require background screenings,\n           incorporate appropriate risk designations with the position, and specify the requirement to\n           obtain and maintain the appropriate security clearance.\n\n           (SBU) Management Response: IBWC agreed with the recommendation, stating that it\n           had updated position descriptions for all personnel who require background screenings to\n           include appropriate risk designations and security clearance requirements.\n\n           (U) OIG Analysis: OIG considers the recommendation resolved. This recommendation\n           can be closed when OIG reviews and accepts documentation or evidence showing that\n\n\n55\n     (U) OIG identified a total population of 22 contractors working at the SBIWTP.\n                                                 25\n                                     SENSITIVE BUT UNCLASSIFIED\n\x0c                     SENSITIVE BUT UNCLASSIFIED\n\nIBWC has updated position descriptions to specify whether a background screening is\nrequired and to include appropriate risk designations.\n\n(SBU) Recommendation 24. OIG recommends that the International Boundary and\nWater Commission (IBWC) finalize suitability background screenings for both\nemployees and contractors, to include formal adjudication and clearance, as required by\nIBWC\xe2\x80\x99s Personnel Security and Suitability Directive.\n\n(SBU) Management Response: IBWC agreed with the recommendation, stating that it\nhad finalized background screenings for all employees. IBWC further stated that formal\nadjudication and clearance had been accomplished for approximately half of its personnel\nand that the remaining personnel were awaiting results from OPM.\n\n(U) OIG Analysis: OIG considers the recommendation resolved. This recommendation\ncan be closed when OIG reviews and accepts documentation or evidence showing that\nIBWC has completed and adjudicated background screening for all employees and\ncontractors.\n\n(SBU) Recommendation 25. OIG recommends that the International Boundary and\nWater Commission (IBWC), in coordination with the Bureau of Diplomatic Security,\nSecurity Infrastructure, Computer Security, and the Bureau of Resource Management,\nDeputy Chief Financial Officer, Global Financial Management System, suspend IBWC\nemployee access to OpenNet until employee background screenings are completed and\nadjudicated.\n\n(SBU) Management Response: IBWC agreed with the recommendation, stating that its\npersonnel security policy was being updated to incorporate the requirement to suspend\nIBWC employee access to OpenNet until required background screenings have been\ncompleted and adjudicated. IBWC further stated that notification of suspension will be\nissued to all applicable bureaus as necessary.\n\n(U) OIG Analysis: OIG considers the recommendation resolved. This recommendation\ncan be closed when OIG reviews and accepts documentation or evidence showing that\npolicy has been developed and implemented to ensure that IBWC employee access to\nOpenNet is suspended until required background screening has been completed and\nadjudicated.\n\n(SBU) Recommendation 26. OIG recommends that the International Boundary and\nWater Commission (IBWC), Information Management Division, provide annual\ncertification to the Department of State Bureau of Resource Management indicating that\nall IBWC OpenNet users fully comply with Department of State requirements concerning\nOpenNet access.\n\n(SBU) Management Response: IBWC agreed with the recommendation, stating that it\nhad discussed with the Department the development of a process to provide the required\n                                 26\n                     SENSITIVE BUT UNCLASSIFIED\n\x0c                                   SENSITIVE BUT UNCLASSIFIED\n\n           annual certification indicating that all IBWC OpenNet users fully comply with the\n           Department\xe2\x80\x99s OpenNet access requirements.\n\n           (U) OIG Analysis: OIG considers the recommendation resolved. This recommendation\n           can be closed when OIG reviews and accepts documentation or evidence showing that a\n           process has been developed to verify that all IBWC OpenNet users fully comply with the\n           Department\xe2\x80\x99s OpenNet access requirements.\n\n (U) Finding N. System Inventory\n\n        (SBU) In FY 2011 and FY 2012, OIG reported that IBWC did not have an accurate\ninformation system component inventory. FISMA requires the heads of each agency to develop\nand maintain an inventory of major information systems operated by or under the agency\xe2\x80\x99s\ncontrol and to identify information systems in an inventory. In addition, to achieve effective\nproperty accountability, there may be information such as hardware inventory specifications and\ninformation systems/component owner that is necessary to record.\n\n       (SBU) In FY 2013, OIG found that IBWC did not have an accurate information system\ncomponent inventory that reflected its current information system assets. Although IBWC had\nimproved its inventory tracking at the IBWC Headquarters in El Paso, OIG identified the\nfollowing inventory issues at the field sites.\n\n         (SBU) The SBIWTP information system component inventory was not complete.\nSpecifically, OIG found instances where items on the inventory list could not be physically\nlocated and items that were physically present were not recorded on the inventory list. In\naddition, the documented data server inventory tag number did not match the actual data server\nin the San Diego field office server room. Further, the Nogales SCADA system inventory was\nnot accurate to reflect current assets. Finally, the information system inventory listing,\nmaintained by IMD, did not include the virtualization equipment for the continuity of operations\nsite in Las Cruces. NIST SP 800-53, Revision 3,56 states that organizations should \xe2\x80\x9cdevelop,\ndocument, and maintain an inventory for information system components that accurately reflects\nthe current information system.\xe2\x80\x9d IBWC\xe2\x80\x99s decentralized operations complicated the recording of\nIT assets because multiple personnel had a role in accounting for inventory. IMD centrally\ndistributed IT assets to the various field offices; however, different operational elements\nrecorded the inventory resulting in the inaccuracy of the perceived and actual inventory.\n\n       (SBU) Without a full system inventory of IT assets, including the SCADA systems,\nIBWC does not have a full accounting and reporting of all IT assets resulting in the inability to\nmitigate security risks for its assets. In addition, IBWC may not be able to determine if assets\nwere properly sanitized and disposed of and if inventory was stolen or inappropriately purchased.\n\n           (SBU) Recommendation 27. OIG recommends that the International Boundary and\n           Water Commission develop and implement a process for conducting and maintaining\n\n56\n     (U) NIST SP 800-53, rev. 3, \xe2\x80\x9cCM-8 Information System Component Inventory.\xe2\x80\x9d\n                                               27\n                                   SENSITIVE BUT UNCLASSIFIED\n\x0c                     SENSITIVE BUT UNCLASSIFIED\n\ninformation system component inventory, to include all information system components\nconcerning the Supervisory Control and Data Acquisition systems, as required by\nNational Institute of Standards and Technology Special Publication 800-53, Revision 3,\nand the Federal Information Security Management Act of 2002.\n\n(SBU) Management Response: IBWC agreed with the recommendation, stating that\ninventory requirements have been incorporated into both contracts for SBIWTP systems.\nIBWC further stated that existing system inventory policies to conduct and maintain\naccountability for GSS will be implemented for all remaining systems by March 2014.\n\n(U) OIG Analysis: OIG considers the recommendation resolved. This recommendation\ncan be closed when OIG reviews and accepts documentation or evidence showing that a\nprocess has been implemented for conducting and maintaining information component\ninventory.\n\n\n\n\n                                 28\n                     SENSITIVE BUT UNCLASSIFIED\n\x0c                             SENSITIVE BUT UNCLASSIFIED\n\n\n                              (U) List of Recommendations\n(SBU) Recommendation 1. OIG recommends that the International Boundary and Water\nCommission update and finalize its risk management framework to include all three tiers of\nmanaging risk, as required by National Institute of Standards and Technology (NIST) Special\nPublications (SP) 800-37, Revision 1, and the four risk management steps, as required by NIST\nSP 800-39.\n\n(SBU) Recommendation 2. OIG recommends that the International Boundary and Water\nCommission (IBWC) determine the ownership and classification of the South Bay International\nWastewater Treatment Plant Admin Network and the Geographic Information System in\naccordance with Federal Information Processing Standards 199 and update the IBWC Inventory\nGuide.\n\n(SBU) Recommendation 3. OIG recommends that the International Boundary and Water\nCommission (IBWC) develop security authorization packages for all IBWC information systems\nbased on the determination of ownership and classification, as required by National Institute of\nStandards and Technology Special Publication 800-53, Revision 3.\n\n(SBU) Recommendation 4. OIG recommends that the Information Management Division\nestablish a continuous monitoring strategy and implement a continuous monitoring program for\nall International Boundary and Water Commission information systems, as required by National\nInstitute of Standards and Technology (NIST) Special Publication (SP) 800-53, Revision 3, and\nas outlined in NIST SP 800-137.\n\n(SBU) Recommendation 5. OIG recommends that the International Boundary and Water\nCommission (IBWC) develop and implement policies and procedures for physical and\nenvironmental protection controls for IBWC assets to include information systems at\nheadquarters and at each field office, in accordance with National Institute of Standards and\nTechnology (NIST) Special Publication (SP) 800-53, Revision 3, and NIST SP 800-82.\n\n(SBU) Recommendation 6. OIG recommends that the International Boundary and Water\nCommission develop and implement [Redacted] (b) (5)\n                                              as required by National Institute of Standards\nand Technology Special Publication 800-53, Revision 3.\n\n(SBU) Recommendation 7. OIG recommends that the Information Management Division\nupdate and implement its Plan of Action and Milestone Directive to include all information\nsystems, as required by National Institute of Standards and Technology Special Publication 800-\n53, Revision 3.\n\n(SBU) Recommendation 8. OIG recommends that the Information Management Division\nupdate the Plan of Action and Milestone database [Redacted] (b) (5)\n\n\n                                         29\n                             SENSITIVE BUT UNCLASSIFIED\n\x0c                                   SENSITIVE BUT UNCLASSIFIED\n\n     [Redacted]   as stated in the International Boundary and Water Commission Plan of Action and\n     (b) (5)\n     Milestone Directive for all information systems.\n\n     (SBU) Recommendation 9. OIG recommends that the International Boundary and Water\n     Commission complete a business case/Exhibit 300/Exhibit 53 to obtain the resources required to\n     protect its information systems, as required by National Institute of Standards and Technology\n     Special Publication 800-65.\n\n     (SBU) Recommendation 10. OIG recommends that the International Boundary and Water\n     Commission prioritize resources to complete contingency planning documents for all\n     information systems, as required by National Institute of Standards and Technology (NIST)\n     Special Publication (SP) 800-53, Revision 3, and NIST SP 800-34, Revision 1.\n\n     (SBU) Recommendation 11. OIG recommends that the International Boundary and Water\n     Commission update, approve, and implement an incident response and reporting policy, to\n     include the correlation of incidents for all information systems, as required by National Institute\n     of Standards and Technology (NIST) Special Publication (SP) 800-53, Revision 3, and NIST SP\n     800-61, Revision 2.\n\n     (SBU) Recommendation 12. OIG recommends that the International Boundary and Water\n     Commission (IBWC) implement testing of all changes to its information systems, as required by\n     the IBWC Configuration Management Directive and National Institute of Standards and\n     Technology Special Publication 800-53, Revision 3.\n\n     (SBU) Recommendation 13. OIG recommends that the International Boundary and Water\n     Commission update and implement its configuration management policy to include change\n     management of Supervisory Control and Data Acquisition systems as required by National\n     Institute of Standards and Technology Special Publication 800-82.\n\n     (SBU) Recommendation 14. OIG recommends that the Information Management Division\n     ensure all new employees receive security awareness training before authorizing access to the\n     network, as required by National Institute of Standards and Technology Special Publication 800-\n     53, Revision 3.\n\n     (SBU) Recommendation 15. OIG recommends that the Information Management Division\n     finalize and implement its access control policy, which includes remote access, as required by\n     National Institute of Standards and Technology Special Publication 800-53, Revision 3.\n[Redacted] (b) (5)\n\n\n\n\n     (SBU) Recommendation 17. OIG recommends that the International Boundary and Water\n     Commission (IBWC) ensure all employees that require remote access capabilities for telework\n                                               30\n                                   SENSITIVE BUT UNCLASSIFIED\n\x0c                             SENSITIVE BUT UNCLASSIFIED\n\ncomplete telework agreements and obtain appropriate approval, as required by IBWC\xe2\x80\x99s\nTelework Directive.\n\n(SBU) Recommendation 18. OIG recommends that the International Boundary and Water\nCommission identify and implement a multifactor authentication solution, to include a process\nfor resetting employee Personal Identification Numbers, for logical access to information\nsystems, as required by National Institute of Standards and Technology Special Publication\n800-53, Revision 3.\n\n(SBU) Recommendation 19. OIG recommends that the International Boundary and Water\nCommission develop and implement a program to include policy for information security\noversight of contractors, as required by the Federal Information Security Management Act Title\nIII, Section 3544.\n\n(SBU) Recommendation 20. OIG recommends that the International Boundary and Water\nCommission ensure that its Information Management Division is responsible for the oversight of\ninformation technology assets purchased and maintained by the contractor in support of\noperations at the South Bay International Wastewater Treatment Plant, as required by the\nNational Institute of Standards and Technology (NIST) Special Publication (SP) 800-53,\nRevision 3, and NIST SP 800-82.\n\n(SBU) Recommendation 21. OIG recommends that the International Boundary and Water\nCommission review and update the appointment letter of the existing contracting officer\xe2\x80\x99s\nrepresentative at South Bay International Wastewater Treatment Plant to include responsibilities\nfor implementing Federal Information Security Management Act (FISMA) compliance for\ninformation system assets or appoint another individual the duties for overseeing the FISMA\ncompliance for information system assets.\n\n(SBU) Recommendation 22. OIG recommends that the International Boundary and Water\nCommission (IBWC) ensure its Information Management Division reviews and approves\nsoftware prior to installation on IBWC assets, as required by The Amendment of\nSolicitation/Modification of Contract M027.\n\n(SBU) Recommendation 23. OIG recommends that the International Boundary and Water\nCommission update position descriptions that require background screenings, incorporate\nappropriate risk designations with the position, and specify the requirement to obtain and\nmaintain the appropriate security clearance.\n\n(SBU) Recommendation 24. OIG recommends that the International Boundary and Water\nCommission (IBWC) finalize suitability background screenings for both employees and\ncontractors, to include formal adjudication and clearance, as required by IBWC\xe2\x80\x99s Personnel\nSecurity and Suitability Directive.\n\n(SBU) Recommendation 25. OIG recommends that the International Boundary and Water\nCommission (IBWC), in coordination with the Bureau of Diplomatic Security, Security\n                                         31\n                             SENSITIVE BUT UNCLASSIFIED\n\x0c                             SENSITIVE BUT UNCLASSIFIED\n\nInfrastructure, Computer Security, and the Bureau of Resource Management, Deputy Chief\nFinancial Officer, Global Financial Management System, suspend IBWC employee access to\nOpenNet until employee background screenings are completed and adjudicated.\n\n(SBU) Recommendation 26. OIG recommends that the International Boundary and Water\nCommission (IBWC), Information Management Division, provide annual certification to the\nDepartment of State Bureau of Resource Management indicating that all IBWC OpenNet users\nfully comply with Department of State requirements concerning OpenNet access.\n\n(SBU) Recommendation 27. OIG recommends that the International Boundary and Water\nCommission develop and implement a process for conducting and maintaining information\nsystem component inventory, to include all information system components concerning the\nSupervisory Control and Data Acquisition systems, as required by National Institute of Standards\nand Technology Special Publication 800-53, Revision 3, and the Federal Information Security\nManagement Act of 2002.\n\n\n\n\n                                         32\n                             SENSITIVE BUT UNCLASSIFIED\n\x0c                                 SENSITIVE BUT UNCLASSIFIED\n\n\n                                                                                          (U) Appendix A\n\n                                   (U) Scope and Methodology\n        (U) The Office of Inspector General (OIG), Office of Audits, performed this audit from\nFebruary 2013 through July 2013 at the International Boundary and Water Commission (IBWC)\nheadquarters in El Paso, TX; the continuity of operations site in Las Cruces, NM; the South Bay\nInternational Wastewater Treatment Plant and field office in San Diego, CA; and the Nogales\nInternational Wastewater Treatment Plant in Nogales, AZ.\n\n       (U) OIG interviewed IBWC senior management, employees, and contractors to evaluate\nmanagerial effectiveness and operational controls in accordance with National Institute of\nStandards and Technology, IBWC, and the Office of Management and Budget guidance. OIG\nobserved daily operations, obtained evidence to support OIG conclusions and recommendations,\nand collected written documents to supplement observations and interviews.\n\n        (U) The Federal Information Security Management Act of 2002 (FISMA) requires each\nFederal agency to develop, document, and implement an agency-wide program to provide\ninformation security for the information systems that support the operations and assets of the\nagency, including those provided or managed by another agency, contractor, or another source.\nTo ensure the adequacy and effectiveness of these controls, FISMA requires the agency\xe2\x80\x99s\ninspector general or an independent external auditor to perform annual reviews of the\ninformation security program and to report those results to the Office of Management and\nBudget (OMB) and the Department of Homeland Security (DHS). \xe2\x88\x97 DHS uses this data to assist\nin oversight responsibilities and to prepare its annual report to Congress regarding agency\ncompliance with FISMA.\n\n         (U) OIG conducted this audit in accordance with generally accepted government\nauditing standards (GAGAS). GAGAS requires an audit to be planned and performed to obtain\nsufficient, appropriate evidence to provide a reasonable basis for its findings and conclusions\nbased on the audit objective. OIG believes that the evidence obtained provides a reasonable\nbasis for its findings and conclusions based on the audit objective.\n\n        (U) OIG discussed its preliminary findings with IBWC officials on March 14, 2013. OIG\nalso provided IBWC with Notice of Findings and Recommendations, which were discussed in\ndetail at an exit conference held with IBWC officials on July 25, 2013.\n\n\n\n\n\xe2\x88\x97\n (U) OMB Memorandum M-10-28, Clarifying Cybersecurity Responsibilities and Activities of the Executive Office\nof the President and the Department of Homeland Security (DHS), July 6, 2010.\n\n                                             33\n                                 SENSITIVE BUT UNCLASSIFIED\n\x0c                            SENSITIVE BUT UNCLASSIFIED\n\n\n(U)Work Related to Internal Controls\n\n        (U) OIG assessed the adequacy of internal controls by performing manual assessments of\ninternal controls related to the areas audited through which OIG gained an understanding of the\neffectiveness of IBWC\xe2\x80\x99s FISMA mandated information security program. OIG identified and\ndiscussed exceptions with IBWC officials to understand the reasons behind internal control\nchallenges. Through conversations with IBWC officials, OIG gained an understanding of the\npolicies and procedures related to IBWC\xe2\x80\x99s information security program. OIG learned how\nIBWC oversees the development of an information security program to protect information and\ninformation systems, to report timely results regarding the security posture of information and\ninformation systems, and to implement corrective measures to address previously identified\nFISMA findings and recommendations. OIG\xe2\x80\x99s conclusions on the internal control deficiencies\nidentified during this audit are detailed in the \xe2\x80\x9cAudit Results\xe2\x80\x9d section of this report.\n\n(U) Use of Computer-Processed Data\n\n         (U) To assess the reliability of computer-processed data, the OIG reviewed\ndocumentation related to background screening of employees. OIG traced the background\nscreening documentation to position descriptions to determine what individuals required\nadditional background screening to perform their daily duties. OIG also used IBWC\xe2\x80\x99s inventory\nlisting retrieved from the Integrated Logistics Management System to determine if the\ndocumented inventory matched the actual inventory at each site. OIG determined that the data\nwere sufficiently reliable to support the conclusions and recommendations presented in this\nreport.\n\n\n\n\n                                        34\n                            SENSITIVE BUT UNCLASSIFIED\n\x0c                                 SENSITIVE BUT UNCLASSIFIED\n\n\n                                                                                            (U) Appendix B\n\n                        (U) Office of Inspector General\n          FY 2012 Federal Information Security Management Act Report\n                          Statuses of Recommendations\n        (U) The FY 2012 Federal Information Security Management Act (FISMA) audit was\nconducted by the Department of State, Office of Inspector General (OIG), Office of Audits, and\ncontained 31 recommendations. \xe2\x88\x97 The audit team reviewed remedial actions implemented by\nU.S. Section International Boundary and Water Commission (IBWC) management to respond to\nthe findings identified in the OIG FY 2012 FISMA report. Below is the status of each\nrecommendation:\n\n(U) Recommendation 1. OIG recommends that the Chief Information Officer conduct an\ninventory to identify all information technology assets, including Supervisory Control and Data\nAcquisition systems for International Boundary and Water Commission.\n\n(U) Status: Closed from the FY 2012 FISMA report. This recommendation has been reissued as\nRecommendation 27 (Finding N) in the FY 2013 report.\n\n(U) Recommendation 2. OIG recommends that the Chief Information Officer conduct an\nannual inventory of information technology assets and update the full system inventory when\nchanges are made to those information systems operated by or under the control of the\nInternational Boundary and Water Commission (IBWC) or by third-party contractors or agencies\non behalf of IBWC, as required by the Federal Information Security Management Act.\n\n(U) Status: Closed from the FY 2012 FISMA report. This recommendation has been reissued as\nRecommendation 27 (Finding N) in the FY 2013 report.\n\n(U) Recommendation 3. OIG recommends that the Chief Information Officer develop a risk\nmanagement strategy, which includes the information technology strategic plan and the\nenterprise architecture at the organizational level, for assessing, addressing, and monitoring\ninformation security risks, as required by National Institute of Standards and Technology Special\nPublication 800-37, Revision 1.\n\n(U) Status: Closed from the FY 2012 FISMA report. This recommendation has been reissued\nas Recommendation 1 (Finding A) in the FY 2013 report.\n\n(U) Recommendation 4. OIG recommends that the Chief Information Officer complete the\nsecurity documents and the testing of International Boundary and Water Commission\ninformation technology assets.\n\n\n\xe2\x88\x97\n (U) Audit of International Boundary and Water Commission, United States and Mexico, U.S. Section, Information\nSecurity Program (AUD/IT-13-15, Nov. 2012).\n                                             35\n                                 SENSITIVE BUT UNCLASSIFIED\n\x0c                             SENSITIVE BUT UNCLASSIFIED\n\n(U) Status: Closed from the FY 2012 FISMA report. This recommendation has been reissued\nas Recommendation 3 (Finding A) in the FY 2013 report.\n\n(SBU) Recommendation 5. OIG recommends that the Chief Information Officer develop the\nsecurity assessment and authorization packages for the Geographic Information System and\nSupervisory Control and Data Acquisition systems and update the security assessment and\nauthorization package for the General Support System, as required by National Institute of\nStandards and Technology Special Publication (NIST SP) 800-53, Revision 3 and NIST SP 800-\n82.\n\n(U) Status: Closed from the FY 2012 FISMA report. This recommendation has been reissued\nas Recommendation 3 (Finding A) in the FY 2013 report.\n\n(U) Recommendation 6. OIG recommends that the Chief Information Officer improve existing\nprocedures to ensure security assessment and authorization packages, system security plans, and\nsecurity assessment reports are updated, as required by National Institute of Standards and\nTechnology Special Publication (NIST SP) 800-37, Revision 1 and NIST SP 800-53, Revision 3.\n\n(U) Status: Closed from the FY 2012 FISMA report. This recommendation has been reissued\nas Recommendation 3 (Finding A) in the FY 2013 report.\n\n(U) Recommendation 7. OIG recommends that the Chief Information Officer ensure that\nannual security assessments of a subset of a system\xe2\x80\x99s security controls are conducted, as required\nby National Institute of Standards and Technology Special Publication 800-37, Revision 1.\n\n(U) Status: Closed from the FY 2012 FISMA report. This recommendation has been reissued\nas Recommendation 3 (Finding A) in the FY 2013 report.\n\n(U) Recommendation 8. OIG recommends the Chief Information Officer develop and\nimplement configuration management and testing procedures including, but not limited to, patch\nmanagement and periodic assessments of compliance with the implemented procedures, as\nrequired by National Institute of Standards and Technology (NIST) Special Publication (SP)\n800-53, Revision 3, and NIST SP 800-40, Version 2.0.\n\n(U) Status: Closed from the FY 2012 FISMA report. This recommendation has been reissued\nas Recommendations 12 and 13 (Finding H) in the FY 2013 report.\n\n(U) Recommendation 9. OIG recommends that the Chief Information Officer develop and\nimplement procedures for the oversight of all systems and hardware including, but not limited to,\npatch management and periodic assessments of compliance with implemented procedures that\nare part of the International Boundary and Water Commission operations, as required by\nNational Institute of Standards and Technology Special Publication 800-53, Revision 3.\n\n(U) Status: Closed from the FY 2012 FISMA report. This recommendation has been reissued\nas Recommendation 13 (Finding H) in the FY 2013 report.\n                                         36\n                             SENSITIVE BUT UNCLASSIFIED\n\x0c                              SENSITIVE BUT UNCLASSIFIED\n\n(U) Recommendation 10. OIG recommends the Chief Information Officer incorporate the\nupdated incident report template into the incident response and reporting procedures and\nperiodically assess compliance with the procedures, as required by National Institute of\nStandards and Technology Special Publication 800-53, Revision 3.\n\n(U) Status: Closed from the FY 2012 FISMA report. This recommendation has been reissued\nas Recommendation 11 (Finding G) in the FY 2013 report.\n\n(U) Recommendation 11. OIG recommends that the Chief Information Officer ensure the\nsecurity awareness training policy requiring all International Boundary and Water Commission\npersonnel to attend initial security awareness training is finalized and then ensure that the\npersonnel take the training before they are provided access to information technology systems, as\nrequired by National Institute of Standards and Technology Special Publication 800-53, Revision\n3, and Office of Management and Budget Circular No. A-130.\n\n(U) Status: Closed from the FY 2012 FISMA report. This recommendation has been reissued\nas Recommendation 14 (Finding I) in the FY 2013 report.\n\n(U) Recommendation 12. OIG recommends that the Chief Information Officer ensure all\nInternational Boundary and Water Commission personnel attend security awareness refresher\ntraining and suspend access to information technology systems and assets when personnel fail to\nsuccessfully complete the training, as required by National Institute of Standards and\nTechnology Special Publication SP 800-53, Revision 3, and Office of Management and Budget\nCircular No. A-130.\n\n(U) Status: Closed March 2013. IBWC provided evidence of security awareness training\ncompletion for IBWC\xe2\x80\x99s employees and contractors for 2012.\n\n(U) Recommendation 13. OIG recommends that the Chief Information Officer ensure the\nspecialized security training requirement for International Boundary and Water Commission\npersonnel with significant security responsibilities is completed so that the personnel are able to\nmaintain their professional proficiency, as required by National Institute of Standards and\nTechnology Special Publication 800-53, Revision 3.\n\n(U) Status: Closed March 2013. IBWC provided evidence of whom they have identified as\nhaving additional security responsibilities and provided evidence of their training completion for\n2012.\n\n(U) Recommendation 14. OIG recommends the Chief Information Officer fully implement a\nPlan of Action and Milestones process to include vulnerabilities identified from all sources and\nupdate milestone dates, as required by Office of Management and Budget Memorandum M-08-\n21 and NIST Special Publication 800-53, Revision 3.\n\n(U) Status: Closed from the FY 2012 FISMA report. This recommendation has been reissued\nas Recommendation 7 (Finding D) in the FY 2013 report.\n                                          37\n                              SENSITIVE BUT UNCLASSIFIED\n\x0c                             SENSITIVE BUT UNCLASSIFIED\n\n(U) Recommendation 15. OIG recommends that the Chief Information Officer finalize and\nimplement International Boundary and Water Commission remote access policy and procedure,\nas required by National Institute of Standards and Technology Special Publication SP 800-53,\nRevision 3.\n\n(U) Status: Closed from the FY 2012 FISMA report. This recommendation has been reissued\nas Recommendation 15 (Finding J) in the FY 2013 report.\n\n(SBU) Recommendation 16. OIG recommends that the Chief Information Officer implement\nremote access controls that is enforced with two-factor authentication and encryption of data on\nmobile devices, as required by the Office of Management and Budget Memorandum M-06-16.\n\n(U) Status: Closed from the FY 2012 FISMA report. This recommendation has been reissued\nas Recommendation 16 (Finding J) in the FY 2013 report.\n\n(SBU) Recommendation 17. OIG recommends that the Chief Information Officer develop and\nimplement a wireless policy and procedures, as required by National Institute of Standards and\nTechnology Special Publication SP 800-53, Revision 3.\n\n(U) Status: Closed from the FY 2012 FISMA report. This recommendation has been reissued\nas Recommendation 15 (Finding J) in the FY 2013 report.\n\n(U) Recommendation 18. OIG recommends that the Chief Information Officer update and\nimplement identification and authentication management procedures to include the e-\nauthentication procedures, as required by National Institute of Standards and Technology Special\nPublication 800-53, Revision 3.\n\n(U) Status: Closed June 2013. IBWC provided evidence that the IBWC Access Control policy\nhad been finalized and that it included details on the use of Personal Identity Verification\ncards.\n\n(U) Recommendation 19. OIG recommends that the Chief Information Officer perform a risk\nassessment identifying the risks to system security, as required by the Office of Management and\nBudget Memorandum M-04-04.\n\n(U) Status: Closed from the FY 2012 FISMA report. This recommendation has been reissued\nas Recommendation 3 (Finding A) in the FY 2013 report.\n\n(SBU) Recommendation 20. OIG recommends that the Chief Information Officer develop and\nimplement policies and procedures to perform continuous monitoring to include automated\nroutine vulnerability assessments for the General Support System, the Geographical Information\nSystem, and the Supervisory Control and Data Acquisition systems. The results of such security\nassessments should be reviewed, and Plans of Action and Milestones should be developed for the\nimprovement of the security controls of major systems, as required by National Institute of\nStandards and Technology Special Publication 800-53, Revision 3.\n                                         38\n                             SENSITIVE BUT UNCLASSIFIED\n\x0c                             SENSITIVE BUT UNCLASSIFIED\n\n(U) Status: Closed from the FY 2012 FISMA report. This recommendation has been reissued\nas Recommendation 4 (Finding B) in the FY 2013 report.\n\n(SBU) Recommendation 21. OIG recommends that the International Boundary and Water\nCommission develop and implement contingency planning procedures and conduct testing for\noperational effectiveness of all major systems, as required by National Institute of Standards and\nTechnology Special Publication 800-34, Revision 1.\n\n(U) Status: Closed from the FY 2012 FISMA report. This recommendation has been reissued\nas Recommendation 10 (Finding F) in the FY 2013 report.\n\n(SBU) Recommendation 22. OIG recommends that the International Boundary and Water\nCommission finalize the continuity of operations site and conduct testing for operational\neffectiveness of all major systems, as required by National Institute of Standards and Technology\nSpecial Publication 800-34, Revision 1.\n\n(U) Status: Closed from the FY 2012 FISMA report. This recommendation has been reissued\nas Recommendation 10 (Finding F) in the FY 2013 report.\n\n(U) Recommendation 23. OIG recommends that the International Boundary and Water\nCommission ensure that its Information Management Division is responsible for the oversight of\ninformation technology assets purchased and maintained by the contractor in support of\noperations at the wastewater treatment plant in San Diego, CA, as required by National Institute\nof Standards and Technology Special Publications (SP) 800-53, Revision 3, and SP 800-82.\n\n(U) Status: Closed from the FY 2012 FISMA report. This recommendation has been reissued\nas Recommendation 20 (Finding L) in the FY 2013 report.\n\n(U) Recommendation 24. OIG recommends that the International Boundary and Water\nCommission (IBWC) ensure that its Information Management Division reviews and approves\nsoftware prior to installation on IBWC assets, as required by National Institute of Standards and\nTechnology Special Publication 800-53, Revision 3.\n\n(U) Status: Closed from the FY 2012 FISMA report. This recommendation has been reissued\nas Recommendation 22 (Finding L) in the FY 2013 report.\n\n(U) Recommendation 25. OIG recommends that the Chief Information Officer ensure that all\ninformation technology assets are accounted for, reported and tracked, and used in the\ncalculation and reporting of Exhibit 300/Exhibit 53\xe2\x80\x99s to the Office of Management and Budget.\nAdditionally, OIG recommends that International Boundary and Water Commission incorporate\nfunding requirements in the information technology strategic plan, as required by National\nInstitute of Standards and Technology Special Publication 800-53, Revision 3.\n\n(U) Status: Closed from the FY 2012 FISMA report. This recommendation has been reissued\nas Recommendation 9 (Finding E) in the FY 2013 report.\n                                         39\n                             SENSITIVE BUT UNCLASSIFIED\n\x0c                             SENSITIVE BUT UNCLASSIFIED\n\n(U) Recommendation 26. OIG recommends that International Boundary and Water\nCommission finalize its contractors\xe2\x80\x99 suitability clearances, including formal clearance\nadjudication, and issue badges, as required by Homeland Security Presidential Directive 12.\n\n(U) Status: Closed from the FY 2012 FISMA report. This recommendation has been reissued\nas Recommendation 24 (Finding M) in the FY 2013 report.\n\n(U) Recommendation 27. OIG recommends that International Boundary and Water\nCommission ensure that the adjudication process is completed for the information technology\nemployees undergoing background investigations.\n\n(U) Status: Closed March 2013. IBWC has performed background investigations on all\nemployees within the Information Management Division to be in accordance with their high-risk\nposition designation as stated in the IBWC Personnel Security and Suitability Directive.\n\n(U) Recommendation 28. OIG recommends that the International Boundary and Water\nCommission develop and implement chain-of-custody procedures to control access to the\nproximity access cards and remote gate devices along the international border.\n\n(U) Status: Closed from the FY 2012 FISMA report. This recommendation has been reissued\nas Recommendation 6 (Finding C) in the FY 2013 report.\n\n(U) Recommendation 29. OIG recommends that the International Boundary and Water\nCommission develop and implement physical access controls to restrict access to the Supervisory\nControl and Data Acquisition control centers, Programmable Logic Controller, and file servers,\nas required by National Institute of Standards and Technology Special Publication 800-82.\n\n(U) Status: Closed from the FY 2012 FISMA report. This recommendation has been reissued\nas Recommendation 5 (Finding C) in the FY 2013 report.\n\n(U) Recommendation 30. OIG recommends that the International Boundary and Water\nCommission restrict access to file servers at its San Diego, CA, wastewater treatment plant, the\nfield offices in Fort Hancock, TX, and its headquarters in El Paso, TX, and ensure the servers are\nattached to the floor to prevent damage to equipment or harm to employees, as required by\nNational Institute of Standards and Technology Special Publication 800-53, Revision 3.\n\n(U) Status: Closed from the FY 2012 FISMA report. This recommendation has been reissued\nas Recommendation 5 (Finding C) in the FY 2013 report.\n\n(U) Recommendation 31. OIG recommends that the International Boundary and Water\nCommission determine the most cost-effective protective measures to prevent fire and damage to\nfile servers, as required by National Institute of Standards and Technology Special Publication\n800-53, Revision 3.\n\n\n\n                                         40\n                             SENSITIVE BUT UNCLASSIFIED\n\x0c                           SENSITIVE BUT UNCLASSIFIED\n\n(U) Status: Closed from the FY 2012 FISMA report. This recommendation has been reissued\nas Recommendation 5 (Finding C) in the FY 2013 report.\n\n\n\n\n                                       41\n                           SENSITIVE BUT UNCLASSIFIED\n\x0c                                    SENSITIVE BUT UNCLASSIFIED\n\n\n\n                                                                                                    (U) Appendix C\n\n\n\n\n       ~\n      ~\n                                INTERNATIONAL BOUNDARY AND WATER COMMISSION\n                                          UNITED STATES AND MEXICO\n          ~~-\nO F FICE. OF THE COMMISSIONER\n   U N ITED STAT FSSECTlON                        September 16, 20 13\n\n\n           Mr. Harold W. Geisel\n           United States Department of State\n           Deputy Inspector General\n           Office of Inspector General\n           Washington, D. C. 20520\n\n           Subject: Audit of the United States Section, International Boundary and Water Commission\n           (IBWC) Information Security Program\n\n           Dear Mr. Geisel:\n\n           We appreciate the opportunity to provide responses to the FY 2013 audit findings and\n           recommendations (attached) represented in your draft report of September 3, 2013 . We are\n           committed to giving these our highest priority and we will continue to keep your office posted on\n           our continued progress towards full implementation of all recommendations.\n\n           Please advise if you have any questions or if we may be of any assistance.\n\n\n                                                         Sincerely,\n\n\n\n                                                  ~~\'    Commissioner\n\n\n           Attached: as stated\n\n\n\n\n                                                42\n                                    SENSITIVE BUT UNCLASSIFIED\n\x0c        SENSITIVE BUT UNCLASSIFIED\n\n\n\n\n        United States Department of State\n     and the Broadcasting Board of Governors\n            Office of Inspector General\n\n                 Office of Audits\n\n International Boundary and Water Commission,\nUnited States and Mexico, U.S. Section, Information\n                 Security Program\n\n                  AUD-IT-13-XX\n                   August2013\n\n\n\n\n                         1\n\n\n\n\n                    43\n        SENSITIVE BUT UNCLASSIFIED\n\x0c                          SENSITIVE BUT UNCLASSIFIED\n\n\n\n\nU) Finding A. Risk Management\n\n       (SBU) Recommendation 1. Agree: A risk management framework is being finalized.\n\n       (SBU) Recommendation 2. Agree. Discussions with Veolia are ongoing where ownership\n       of the Systems will be made clear. Reclassifications of the SBIWTP Veolia and GIS Systems\n       in accordance with FIPS I 99 will be completed by the end of the calendar year.\n\n       (SBU) Recommendation 3. Agree. The IBWC has issued a contract for a risk assessments\n       of the South Bay International Wastewater Treatment Plant (SBIWTP) SCAD A, Admin and\n       Nogales International Wastewater Treatment Plant SCAD A Systems. The Geographic\n       Information System risk assessment is being finalized. The results of the risk assessments\n       and reclassification of Systems will be used to develop authorization packages for all IBWC\n       Systems.\n\n(U) Finding B. Continuous Monitoring\n\n        (SBU) Recommendation 4. Agree. A continuous monitoring solution is now in place to\nperform vulnerability scanning and advanced risk and threat assessments; actions are under way to hire\npersonnel and issue a contract for continuous monitoring services. The IBWC will be accepting an\ninvitation to participate in the Department of Homeland Security\'s (DHS) Continuous Diagnostic and\nMitigation (CDM) Program, which will provide authorized vendors to perform these functions for federal\nagencies.\n\n(U) Finding C. Physical and Environmental Protection\n       (SBU) Recommendation 5. Agree. The IBWC has developed and implemented a risk\n       assessment policy and procedures, which incorporates the requirement for physical and\n       environmental protections controls for IBWC assets. In addition, the Master Planning\n       Division (MPD) of the IBWC will be conducting assessments of all facilities to include all\n       information system (IT/server rooms) locations and ensure that physical and environmental\n       protection controls exist or implemented in accordance with NIST SP 800-53, Rev 3 and\n       NIST SP800-82. Designs for ongoing new admin building facilities already include all\n       physical and environmental requirements\n  [Redacted] (b) (5)\n\n\n\n\n                                                  2\n\n\n\n\n                                      44\n                          SENSITIVE BUT UNCLASSIFIED\n\x0c                        SENSITIVE BUT UNCLASSIFIED\n\n\n\n\n(U) Finding D. Plan of Action and Milestones\n\n     (SBU) Recommend ation 7. Agree. The Information Management Division has updated its\n     PoAMs database, which now exclude the 174 entries that were not derived from a supported\n     security assessment. Other updates are being made to the PoAMs database to include all\n     elements identified during the OIG FISMA audit, and in accordance with NIST SP 800-53,\n     Rev3.\n\n     (SBU) Recommendation 8. Agree. The Information Management Division approaching\n     completion of its update to the Plan of Action and Milestone database, [Redacted] (b)\n                                                                            (5)\n\n\n(U) Finding E. Security Capital Planning\n     (U) Recommendation 9. Agree. The IBWC has inventoried all its IT assets and will\n     continue to document all assets and maintain the inventory updated, along with associated\n     costs. The IBWC will also continue to represent its needs in future budget requests to ensure\n     required resources are available to protect its information systems. Development of Exhibit\n     300 and 53 is required of all CFO agencies consistent with OMB Circular A-ll guidance,\n     which is not the designation of the IBWC. OMB representatives have confirmed that the\n     requirement is not applicable to small agencies.\n\n(U) Finding F. Contingency Planning\n\n      (SBU) Recommendation 10. Agree. The IBWC has begun its Business Impact Assessment\n      for the GSS which will feed its Business Continuity Plan and Continuity of Operations\n      documentation as required. Contingency planning documentation for all other systems are\n      being planned and developed as required by SP-800-53 and NIST SP 800-34, Rev I\n\n(U) Finding G. Incident Response a nd Reporting\n      (SBU) Recommendation 11. Agree. The IBWC has finalized its Incident and Response\n      Reporting directive, which is currently under review by the union.\n\n\n(U) Finding H. Configuration Management\n\n      (SBU) Recommendation 12. Agree. The IBWC has acquired the resources and hardware\n      to implement a virtual testing environment to test all changes to its information systems as\n                                                 3\n\n\n\n\n                                    45\n                        SENSITIVE BUT UNCLASSIFIED\n\x0c                        SENSITIVE BUT UNCLASSIFIED\n\n\n\n\n     required by the existing directive and NIST SP 800-53, Rev 3.\n     (SBU) Recommendation 13. Agree. The IBWC is issuing a contract to conduct risk\n     assessments of the two SCAD A systems, which includes development of configuration\n     management policy.\n\n(U) Finding I. Security Training\n     (SBU) Recommendation 14. Ag1\xc2\xb7ee. The IMD has effectively assured that all new\n     employees complete the required security awareness training within 5 days of their arrival in\n     order to obtain authorization to access the network. The established process is being followed\n     in accordance with IBWC policy SD.I.6061-M-lll Security Awareness and Training.\n\n(U) Finding J. Remote Access Management\n\n     (SBU) Recommendation 15. Agree. The IBWC has finalized and implemented its access\n     control policy.\n[Redacted] (b) (5)\n\n\n\n\n     (SBU) Recommendation 17. Agree. The Telework Directive is being updated to correctly\n     include and document mobile workforce requirements. Telework agreements for existing\n     mobile workforce employees are being completed and will be in place by the end of the\n     calendar year.\n\n(U) Finding K. Identity and Access Management\n\n     (SBU) Recommendation 18. Agree. The ffiWC has implemented a two-factor\n     authentication solution, to include a process for resetting employee Personal Identification\n     Numbers, for logical access to information systems. The Personnel Security policy is\n     being updated to incorporate this process.\n\n(U) Finding L. Contractor Systems\n\n      (SBU) Recommendation 19. Agree. Policy is being developed for information security\n      oversight of contractors, as required by the Federal Information Security Management Act\n      Title III, Section 3544.\n\n      (SBU) Recommendation 20. Agree. The IBWC has issued a modification to the South Bay\n                                                 4\n\n\n\n\n                                    46\n                        SENSITIVE BUT UNCLASSIFIED\n\x0c                        SENSITIVE BUT UNCLASSIFIED\n\n\n\n\n     International Wastewater Treatment Plant contractor, notifying the contractor of IBWC\'s\n     management oversight requirements of information technology assets purchased and\n     maintained by the contractor in support of operations. A copy of the modification was\n     previously provided.\n\n     (SBU) Recommendation 21. Agree. The appointment letter of the existing contracting\n     officer\'s representative at South Bay International Wastewater Treatment Plant is being\n     amended to include responsibilities. An appointment letter has also been issued to the ISSM\n     designating him full responsibility over FISMA compliance oversight.\n\n     (SBU) Recommendation 22. Agree. The contractor is required to notify the Information\n     Management Division of all planned purchases of IT hardware and software. The IMD will\n     review all requests as required by The Amendment of Solicitation/Modification of Contract\n     M027.\n\n\n(U) Finding M. Personnel Security\n     (SBU) Recommendation 23. Agree. The IBWC has updated the position descriptions of all\n     personnel that require background screenings, which incorporate appropriate risk designations\n     with the position, and specify the requirement to obtain and maintain the appropriate security\n     clearance. Copies of the amendments were provided to the OIG during a previous update.\n\n     (SBU) Recommendation 24. Agree. The IBWC has finalized requests for suitability\n     background screenings for I 00% of both employees and contractors, as required by its\n     Personnel Security and Suitability Directive. Formal adjudication and clearance has been\n     accomplished for approximately half with the second half pending receipt of results from\n     OPM.\n\n     (SBU) Recommendation 25. Agree. The IBWC is incorporating into its personnel\n     security policy a process that requires the IBWC to suspend IBWC employee access to\n     OpenNet until the required background are obtained. Notification will be issued to the\n     Bureau of Diplomatic Security, Security Infrastructure, Computer Security, and the Bureau\n     of Resource Management, Deputy Chief Financial Officer, Global Financial Management\n     System to suspend accounts as necessary.\n\n     (SBU) Recommendation 26. Agr ee. The IBWC is in discussions with the Department of\n     State Bureau of Resource Management and will be developing a process to provide the\n     required annual certification indicating that all IBWC OpenNet users fully comply with\n     Department of State requirements concerning OpenNet access.\n\n\n\n\n                                                5\n\n\n\n\n                                    47\n                        SENSITIVE BUT UNCLASSIFIED\n\x0c                       SENSITIVE BUT UNCLASSIFIED\n\n\n\n\n(U) Finding N. System Inventory\n\n     (SBU) Recommendation 27. Agree. The IBWC has incorporating the necessary inventory\n     requirements into the contract for both SBIWTP systems. In addition, the existing system\n     inventory policies for conducting and maintaining system component accountability for the\n     GSS will be implemented for all remaining systems by March 2014.\n\n\n\n\n                                               6\n\n\n\n\n                                   48\n                       SENSITIVE BUT UNCLASSIFIED\n\x0c                           SENSITIVE BUT UNCLASSIFIED\n\n\n(U) Major Contributors to This Report\n\nJerry Rainwaters, Director\nDivision of Information Technology\nOffice of Audits\n\nJamie Horvath, Manager\nDivision of Information Technology\nOffice of Audits\n\nKenneth Bensman, Senior Auditor\nDivision of Information Technology\nOffice of Audits\n\n\n\n\n                                       49\n                           SENSITIVE BUT UNCLASSIFIED\n\x0cSENSITIVE BUT UNCLASSIFIED\n\n\n\n\nSENSITIVE BUT UNCLASSIFIED\n\x0cSENSITIVE BUT UNCLASSIFIED\n\n\n\n\n FRAUD, WASTE, ABUSE,\n OR MISMANAGEMENT\nOF FEDERAL PROGRAMS\n   HURTS EVERYONE.\n\n         CONTACT THE\n OFFICE OF INSPECTOR GENERAL\n            HOTLINE\n      TO REPORT ILLEGAL\n   OR WASTEFUL ACTIVITIES:\n\n\n         202-647-3320\n         800-409-9926\n      oighotline@state.gov\n          oig.state.gov\n\n   Office of Inspector General\n    U.S. Department of State\n         P.O. Box 9778\n     Arlington, VA 22219\n\n\n\n\nSENSITIVE BUT UNCLASSIFIED\n\x0c'